An Unprecedented Process Injection Techniques Strikes Windows Systems

Cybersecurity experts have stumbled upon 18 deceitful loan applications for Android on the widely used Google Play Store. 

What’s more alarming is that these seemingly attractive apps have duped over 12 million users into downloading them.

Appealing Apps Concealing Dark Intentions

Despite their enticing appearances, these apps are different from what they seem. Disguised as platforms offering high-interest-rate loans with alluring descriptions, they are, in reality, sophisticated tools designed to defraud users. 

The malicious software collects personal and financial information, later deploying it for blackmail, aiming to seize victims’ funds.

Targeting Global Borrowers

ESET has highlighted this campaign as “SpyLoan.” Its primary targets are potential borrowers in Southeast Asia, Africa, and Latin America.

The Hit List: Apps Taken Down, but the Damage is Done

Google has taken down these malevolent apps only after they wreaked havoc. The list includes seemingly innocuous names like AA Kredit, Amor Cash, Cashwow, and more. 

These apps specifically targeted users in regions where financial vulnerabilities are prevalent.

Infection Pathways: Beyond Google Play Store

The infection pathways for these apps extend beyond the Google Play Store. SMS messages and popular social media channels such as Twitter, Facebook, and YouTube are prominent conduits for spreading the malware. 

Additionally, the apps were available for download on scam websites and third-party app stores.

PoolParty: A New Wave of Stealthy Process Injection Techniques

In a recent discovery, cybersecurity researchers found eight process injection techniques, collectively named PoolParty. 

This sophisticated collection poses a significant threat as it enables code execution in Windows systems while adeptly avoiding detection by endpoint detection and response (EDR) systems.

According to findings presented by SafeBreach researcher Alon Leviev at the Black Hat Europe 2023 conference, PoolParty stands out for its unparalleled flexibility. 

These techniques are not bound by limitations, demonstrating the capability to function across all processes, making them more versatile than existing process injection methods.

Understanding Process Injection: A Tactical Evasion Technique

Process injection, a well-known evasion technique, involves running arbitrary code in a target process. 

Various methods exist, such as DLL injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging. 

PoolParty distinguishes itself by leveraging the Windows user-mode thread pool, using it as a foundation to insert diverse work items into a targeted process seamlessly.

The Heart of Poolparty’s Operation

The crux of PoolParty lies in targeting worker factories and Windows objects responsible for managing thread pool worker threads. 

By overwriting the start routine with malicious shellcode, PoolParty sets the stage for subsequent execution by worker threads. 

This innovative approach allows threat actors to take control of worker threads, offering unprecedented flexibility.

A Disturbing Success Rate: PoolParty vs. EDR Solutions

SafeBreach’s research reveals that PoolParty boasts a remarkable 100% success rate against popular EDR solutions. 

It outwits security offerings from industry giants like CrowdStrike, Cybereason, Microsoft, Palo Alto Networks, and SentinelOne. 

Beyond Known Boundaries!

Despite advancements in modern EDRs designed to detect known process injection techniques, PoolParty demonstrates the resilience of innovation. 

Staying ahead of the game requires proactive measures from security tool vendors and practitioners. 

As sophisticated threat actors continue to explore new and innovative methods, the defence against them must be equally dynamic and forward-thinking.