New Evasive Technique - Early Bird Code Injection
These days many researchers have acknowledged an Early Bird code injection technique used by the Iranian group APT33 to tunnel the TurnedUp malware inside infected systems while bypassing anti-malware tools. The attackers are constantly trying to implement the techniques to evade the existing security methodologies. The Early Bird code injection technique, takes gain of the application threading process that happens when a program executes on a computer. In other words, attackers inject malware code into legitimate process threads to hide malicious code inside commonly seen and legitimate computer processes.
Anti-malware tools have created a technique called hooking that can easily spot when this type of technique is used by an adversary. “Hooks are code sections that are inserted by legitimate anti-malware products when a process starts running. They are placed on specific Windows API calls. The goal of the hooks is to monitor API calls with their parameters to find malicious calls or call patterns,” Cyberbit explains. APT33 cybercriminals have created an Early Bird technique to evade the anti-malware hooking process.
According to a Cyberbit report, this technique loads the malicious code in a very early stage of thread initialisation, before many security products place their hooks that allows the malware to perform its malicious actions without being detected, Cyberbit said Early Bird code injection technique has been used in an array of known malware strains, including TurnedUp. The malware is variant of the notorious Carberp banking malware and DorkBot malware, researchers said. According to Cyberbit, malware code injection flow starts with creating a suspended process of a legitimate Windows process. Next, it allocates and writes malicious code into that process. It then queues an asynchronous procedure call (APC) to that process. Lastly, it continues the main thread of the process to execute the APC that is pointing to this malicious code.