New ‘Waiting Thread Hijacking’ Malware Technique Evades Modern Security Measures

Security researchers have introduced a novel malware process injection technique known as “Waiting Thread Hijacking” (WTH), which is engineered to execute harmful code within legitimate processes while evading numerous contemporary security measures. This innovative approach, developed by Check Point Research, marks a significant advancement over traditional Thread Execution Hijacking, achieving a higher level of stealth by steering clear of commonly scrutinized API calls.

Malware authors frequently leverage process injection methods to evade defenses, disrupt ongoing processes, or elevate their privileges. In this relentless pursuit of evasion, attackers are constantly refining their strategies to outsmart Endpoint Detection and Response (EDR) systems and antivirus solutions. WTH seeks to accomplish this by employing familiar system functions in an unconventional order.

Bypassing Traditional Detection Triggers

Traditional Thread Execution Hijacking typically entails locating a thread within a target process, suspending it using SuspendThread, modifying its execution context through SetThreadContext to redirect to malicious code, and subsequently resuming the thread with ResumeThread. These API calls, along with the necessary THREADSUSPENDRESUME and THREADSETCONTEXT access rights, are often flagged as suspicious and closely monitored by security products, frequently resulting in immediate detection.

In contrast, Waiting Thread Hijacking circumvents these detection triggers by following a distinct sequence of operations:

1. Utilizing standard functions such as VirtualAllocEx to allocate memory and WriteProcessMemory to inject the malicious payload (shellcode) into the target process. These actions require PROCESSVMOPERATION, PROCESSVMREAD, and PROCESSVMWRITE permissions.
2. Identifying an appropriate waiting thread within the target process. Threads managed by the Windows Thread Pool system, particularly those in a dormant state with the reason WrQueue, serve as ideal candidates. These threads are in a waiting mode, poised to resume automatically without necessitating ResumeThread.
3. Acquiring the thread’s context using GetThreadContext, which only demands the less suspicious THREADGETCONTEXT permission.
4. Examining the thread’s stack pointer (RSP register) to pinpoint the return address on the stack. In the identified waiting scenarios (such as within syscall wrappers like NtRemoveIoCompletion or NtWaitForWorkViaWorkerFactory), the return address is predictably situated at the top of the stack.
5. Overwriting this return address on the stack with the address of the injected shellcode via WriteProcessMemory.
6. Once the thread’s wait condition is satisfied, it naturally awakens and attempts to “return” to its caller. Instead, it follows the overwritten address, executing the attacker’s code.

Maintaining Stability and Enhancing Stealth

A pivotal element of WTH is ensuring the stability of the target application. The injected shellcode incorporates a stub that preserves the thread’s original state (including registers and flags), executes the primary malicious payload, restores the saved state, and then redirects to the original return address (which was saved prior to being overwritten). This allows the hijacked thread to resume its normal operations after executing the implant, thereby minimizing disruption.

To further evade behavioral detection systems that monitor for sequences of suspicious API calls from a single process, researchers have demonstrated an obfuscation technique. This method involves distributing the WTH steps—memory allocation, payload writing, changing memory permissions to executable, and overwriting the return address—across multiple, distinct child processes.

While WTH successfully avoids many conventional detection triggers, it is not entirely immune to detection. EDR solutions that proactively block unauthorized attempts to write into the memory of another process can effectively thwart this technique. Detection increasingly relies on behavioral analysis, scrutinizing sequences of actions (even those involving commonplace APIs) or identifying unauthorized external memory writes. The simplicity and reliance on common APIs make it challenging to detect through static analysis of the malware file alone.

Check Point Research has noted that WTH has proven effective against certain EDRs that previously flagged their “Thread Name-Calling” technique, while other EDRs managed to block WTH but not the older method. This highlights the variability in EDR capabilities and the strategic advantage attackers gain by possessing multiple injection techniques. Waiting Thread Hijacking introduces yet another stealthy option into the malware toolkit, further complicating the ongoing cat-and-mouse dynamic between attackers and defenders.