Rotem Kerner, a security researcher with enSilo, has discovered a new process injection technique that can be abused by malicious actors to hide malware inside Windows-based CLI applications.
The technique, named Ctrl-Inject, abuses the Windows "CtrlRoutine" function, used by command-line applications to assure keyboard-based interfacing between the user and the app.
Ctrl-Inject works with CLI apps only
In a
technical write-up published yesterday, Kerner described a way that a malicious actor could abuse this function to spawn malicious threads inside a legitimate CLI app's process and run malicious code.
"The main advantage of this technique over classic thread injection technique is that the remote thread is created by a trusted windows process, csrss.exe, which makes it much stealthier," Kerner said.
"Essentially, in this process injection technique, we inject our code to the target process, but we never invoke it directly," the expert added. "Instead, we are making csrss.exe invoke it for us which is far less suspicious since this a normal behavior."
"The disadvantage is that [Ctrl-Inject is] limited to console applications," Kerner said.
