Immoral Fiber: Unlocking & Discovering New Offensive Capabilities of Fibers

Fibers are mini-threads (stackful coroutines) that provide an alternate code execution method, operating as a user-mode concept invisible to kernel

Key advantages of using fibers for offensive operations:

• No thread artifacts or kernel callbacks
• Less common than threads, making detection more difficult
• No ETW-specific providers targeting fibers
• Simple API with low barrier to entry
• Can avoid thread-specific detection heuristics

Two new offensive techniques developed:

• Phantom Thread: Allows injection into dormant fibers while maintaining legitimate stacks
• Poison Fiber: Enables remote callback injection through fiber local storage

Defensive challenges with fibers:

• Limited open source tooling available
• No built-in Windows API for remote enumeration
• Traditional thread-based detection methods don’t apply
• Call stack collection needs different signatures
• Immature detection capabilities overall

Implementation considerations:

• Need to validate fiber objects carefully
• Must handle fiber callbacks properly to avoid crashes
• Can mask malicious activity by switching between innocent and malicious fiber stacks
• Possible to chunk payloads across multiple callbacks
• Clean-up mechanisms important to avoid artifacts

Fiber usage remains relevant despite Microsoft’s recommendations against it:

• Still used in browsers and audio software
• Microsoft itself uses fibers in system processes
• Growing interest from attackers as an evasion technique