A sophisticated proof-of-concept demonstrating how malware can bypass advanced call stack detection mechanisms increasingly adopted by enterprise security vendors like Elastic.
The new Moonwalk++ technique extends prior stack-spoofing research and reveals critical gaps in current endpoint detection strategies.
The Evasion Challenge
As defenders increasingly rely on call stack telemetry to identify malicious activity, attackers are developing more advanced countermeasures.
Introduces methods to spoof call stacks while simultaneously encrypting malware in memory capabilities previously considered infeasible.
Elastic Security Labs recently published detection logic designed to identify anomalous call stacks by analyzing execution patterns, caller identification, and memory characteristics.
Moonwalk++ circumvents these protections through multiple evasion vectors. The PoC demonstrates three significant bypasses:
Call Instruction Validation Bypass: Detection systems check whether instructions preceding return addresses are legitimate CALL statements.
Researchers identified Windows gadgets that naturally contain call instructions at expected locations, allowing spoofed frames to appear legitimate.
Module Resolution Evasion: Previous implementations assumed the final caller module would remain unresolvable. Moonwalk++ injects shellcode into legitimate processes such as OneDrive.exe, allowing gadgets to be sourced from the target process’s image base rather than system libraries.
The research, led by security expert Alessandro Magnosi (klezVirus), builds on the foundational Stack Moonwalk technique presented at DEFCON 31.
In-Memory Encryption: The technique employs custom ROP chains to encrypt and modify the memory protections of shellcode regions post-deployment
A novel stack structure conceals these encryption routines within invisible stack frames, maintaining a clean, unwindable call stack despite ongoing encryption operations.
Detection Failure
Testing against popular security tools yielded concerning results. Hunt-Sleeping-Beacons, Get-InjectedThreadEx, and even the Eclipse detection algorithm failed to identify Moonwalk++ activity.
While hollows_hunter could detect encrypted artifacts through obfuscation analysis, call stack inspection techniques proved ineffective.
The research highlights a fundamental weakness in stack-based detection: it relies on assumptions about legitimate execution patterns and memory characteristics. When these assumptions fail, detection mechanisms become bypassed.
The complete code is available on GitHub as “Moonwalk–” (hyphens used due to platform restrictions), alongside comprehensive technical documentation.
Researchers emphasize that this work demonstrates the depth of call stack evasion capabilities when techniques are fully optimized, challenging current assumptions underlying modern endpoint detection strategies.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
