At the Black Hat Asia conference held in Singapore, two new ways to use Windows fibers to execute malicious code were presented. One of them, Poison Fiber, allows attacks to be carried out remotely.
Both PoC's are authored by independent information security researcher Daniel Jary. According to him, the Poison Fiber and Phantom Thread attacks are improved versions of opensource development: they allow you to more reliably hide third-party shellcode or other payload in a system that is protected by EDR.
Fiber support was introduced in Windows 3 and earlier versions of macOS to provide a simplified multitasking experience. In those days, processors had fewer cores, and dividing the workload into threads didn't always have the desired effect.
The fiber concept allowed for finer crushing, already inside the threads. However, they only exist in user mode, and scheduling is performed by the thread in which they are executed.
Fibers are invisible to the OS kernel (threads access the task scheduler, and they are considered executors of all operations), and it is difficult to extract them from memory. These features are very attractive to attackers: they allow you to inject malicious code into the system, bypassing antivirus protection.
Fibers are still used by some Windows processes today, and also make it easier to migrate applications from other platforms. The possibility of abuse was checked repeatedly; for example, in 2022, PoC methods for hiding shellcode in the fiber and masking the call stack using a sleeping fiber were published (added to the Cobalt Strike set).
The development of Phantom Thread uses the second approach, but the ability to detect malware by scanning the memory is completely excluded. For this purpose, a fiber is created, and then patched in such a way as to pass it off as a stream.
The second PoC, created by Jary (Poison Fiber), lists running Windows processes and captures threads that use fibers, and then provides the ability to embed a payload or shellcode in a sleeping fiber — these are always found on the stack. A malicious injection will not alert the protection, as in the case of stopping the thread, and the execution will be started by a legitimate program.
"Fiber-based attacks aren't about privilege escalation, they're not about bypassing UAC, but delivering the payload gets a lot less attention," the researcher explained for Dark Reading. "They're easy to implement and harder to detect, so fibers are a great option for any script kiddie."
Jary is not going to publish other details and PoC codes yet, but advises information security services to include Windows Fibers in the list of potential attack vectors, and constantly check EDR protection for readiness for new threats.
Both PoC's are authored by independent information security researcher Daniel Jary. According to him, the Poison Fiber and Phantom Thread attacks are improved versions of opensource development: they allow you to more reliably hide third-party shellcode or other payload in a system that is protected by EDR.
Fiber support was introduced in Windows 3 and earlier versions of macOS to provide a simplified multitasking experience. In those days, processors had fewer cores, and dividing the workload into threads didn't always have the desired effect.
The fiber concept allowed for finer crushing, already inside the threads. However, they only exist in user mode, and scheduling is performed by the thread in which they are executed.
Fibers are invisible to the OS kernel (threads access the task scheduler, and they are considered executors of all operations), and it is difficult to extract them from memory. These features are very attractive to attackers: they allow you to inject malicious code into the system, bypassing antivirus protection.
Fibers are still used by some Windows processes today, and also make it easier to migrate applications from other platforms. The possibility of abuse was checked repeatedly; for example, in 2022, PoC methods for hiding shellcode in the fiber and masking the call stack using a sleeping fiber were published (added to the Cobalt Strike set).
The development of Phantom Thread uses the second approach, but the ability to detect malware by scanning the memory is completely excluded. For this purpose, a fiber is created, and then patched in such a way as to pass it off as a stream.
The second PoC, created by Jary (Poison Fiber), lists running Windows processes and captures threads that use fibers, and then provides the ability to embed a payload or shellcode in a sleeping fiber — these are always found on the stack. A malicious injection will not alert the protection, as in the case of stopping the thread, and the execution will be started by a legitimate program.
"Fiber-based attacks aren't about privilege escalation, they're not about bypassing UAC, but delivering the payload gets a lot less attention," the researcher explained for Dark Reading. "They're easy to implement and harder to detect, so fibers are a great option for any script kiddie."
Jary is not going to publish other details and PoC codes yet, but advises information security services to include Windows Fibers in the list of potential attack vectors, and constantly check EDR protection for readiness for new threats.
