Unlike traditional thread hijacking, which requires suspending and resuming threads using easily monitored APIs like SuspendThread and ResumeThread, WTH targets threads already in a waiting state, eliminating the need for suspicious thread manipulation. The technique works by exploiting Windows Thread Pools, which contain numerous waiting threads ready to be activated upon specific events. This stealthy process injection method, revealed on April 14, 2025, represents an evolution of the classic Thread Execution Hijacking approach but employs a far more elusive methodology to evade detection by modern security solutions. Once the waiting thread completes its wait state, it executes the malicious code before seamlessly returning to its original function, maintaining process stability. Instead of creating new threads or manipulating active ones, attackers identify dormant waiting threads and replace their return addresses with pointers to malicious shellcode. A sophisticated new malware technique known as “Waiting Thread Hijacking” (WTH) has emerged as a significant threat to cybersecurity defenses. What makes Waiting Thread Hijacking particularly concerning is its ability to execute injected code without triggering the typical alerts that would flag conventional methods. These threads are paused inside system calls like NtRemoveIoCompletion or NtWaitForWorkViaWorkerFactory, waiting for specific events to resume execution. By splitting the attack across multiple processes, attackers can further obfuscate the malicious behavior, with each child process handling a different step of the injection sequence. The attack identifies such threads, obtains their context, and strategically replaces the return address on their stack with a pointer to malicious code. The technique avoids suspending threads and instead relies on the natural activation of waiting threads. Process injection techniques have long been a staple in malware arsenals, allowing attackers to hide malicious modules within legitimate processes. When these threads naturally resume execution, they unwittingly execute the injected code before returning to their normal operations. The core of WTH’s evasion capability lies in its exploitation of waiting threads, specifically those with the wait reason WrQueue. CheckPoint researchers identified this technique through extensive analysis of thread behavior in Windows systems. The method requires only basic process handle access permissions (PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE for the target process and THREAD_GET_CONTEXT for threads) rather than the more suspicious and monitored THREAD_SET_CONTEXT or THREAD_SUSPEND_RESUME permissions. The technique proves especially effective against security products that focus on monitoring specific API sequences rather than analyzing memory operations comprehensively. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The technique has already proven effective at bypassing some EDR solutions that block other injection methods, though no single technique is universally successful against all defenses.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 15 Apr 2025 10:50:16 +0000