Rotem Kerner, a security researcher with enSilo, has discovered a new process injection technique that can be abused by malicious actors to hide malware inside Windows-based CLI applications.
The technique, named Ctrl-Inject, abuses the Windows "CtrlRoutine" function, used by command-line applications to assure keyboard-based interfacing between the user and the app.
In a technical write-up published yesterday, Kerner described a way that a malicious actor could abuse this function to spawn malicious threads inside a legitimate CLI app's process and run malicious code.
"The main advantage of this technique over classic thread injection technique is that the remote thread is created by a trusted windows process, csrss.exe, which makes it much stealthier," Kerner said.
"Essentially, in this process injection technique, we inject our code to the target process, but we never invoke it directly," the expert added. "Instead, we are making csrss.exe invoke it for us which is far less suspicious since this a normal behavior."
"The disadvantage is that [Ctrl-Inject is] limited to console applications," Kerner said.
Apps that could be abused via Ctrl-Inject include cmd.exe or powershell.exe, both standard applications on most Windows versions.
Under normal circumstances, tampering with these apps' processes wouldn't be possible because of two Windows security protections such as Control Flow Guard and pointer encoding.
But in his write-up of the Ctrl-Inject technique, Kerner also provides a roadmap on how to bypass both protections.
For now, the Ctrl-Inject technique has only been detailed at a theoretical level. It will take some time before malware incorporates this technique, and this is bound to happen.