New Moonwalk++ PoC Demonstrates How Malware Can Forge Windows Call Stacks to Evade Detection

Recently, security researchers have exposed a new and alarming technique that enables malware to completely conceal its presence by falsifying Windows call stacks, a method specifically designed to evade modern endpoint detection systems.

The technique, known as Moonwalk++, builds upon previous research on Stack Moonwalking and reveals a significant vulnerability in the way security tools verify whether malware is invoking sensitive Windows functions.

By fabricating the sequence of function calls that appear in system memory, attackers can make malicious code appear as if it is originating from legitimate software, effectively disguising its true intentions.

feasible memory location
feasible memory location

According to the research, “Call stacks have become a critical detection surface for modern EDR tools.” Security products like Elastic Security have invested heavily in analyzing call stacks to identify suspicious API calls.

However, Moonwalk++ demonstrates that these defenses have significant blind spots, which can be exploited by sophisticated attackers.

The attack takes advantage of how Windows stores information about which functions call other functions, allowing malware to manipulate this information and conceal its true origin.

Normally, when malware invokes a sensitive Windows API, such as creating a new process or allocating memory, security tools examine the call chain to determine the malware’s origin.

Moonwalk++ manipulates this chain to point to legitimate Windows system functions instead, effectively hiding the real attacker.

Spoof target function

What makes Moonwalk++ particularly concerning is its ability to encrypt the malicious code while it is running, making it even more difficult to detect.

Previous versions of Stack Moonwalking were unable to do this because the technique relied on specific execution patterns that would break if the code was encrypted.

The new version of Moonwalk++ solves this problem through a clever stack manipulation trick, allowing malware to remain hidden even while executing.

The researchers tested their proof-of-concept against popular detection tools, including Hunt-Sleeping-Beacons, Get-InjectedThreadEx, and Hollow’s Hunter.

All of the detection tools failed to detect the Moonwalk++ technique when it was injected into legitimate Windows processes like OneDrive.exe.

The technique defeats current detection methods by meeting several key conditions, including removing direct references to the malicious code from the call stack, making the thread appear to start from legitimate Windows functions, and concealing suspicious memory regions.

This research represents a significant escalation in the ongoing cat-and-mouse game between attackers and defenders, as detection strategies become more sophisticated, adversaries are developing equally advanced evasion techniques.

As a result, security teams must adapt their defense strategies to incorporate additional telemetry beyond stack inspection, including behavioral analysis, memory patterns, and API usage frequency monitoring.

Evasion Evaluation
Evasion Evaluation

The authors built on research originally presented at DEFCON 31 and have released their proof-of-concept code publicly on GitHub.

For security teams, this research highlights the limitations of relying solely on call stack analysis for detection and the need to incorporate additional telemetry to stay ahead of sophisticated attackers.

The full technical details and proof-of-concept code are available to security researchers and defenders studying advanced evasion techniques.

Related Articles

Back to top button