Researchers have identified what they are calling an Early Bird code injection technique used by the Iranian group APT33 to burrow the TurnedUp malware inside infected systems while evading anti-malware tools.
While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird, being used by at least three different sophisticated malware that helped attackers evade detection.
As its name suggests, Early Bird is a “simple yet powerful” technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.
The Early Bird technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” said Cyberbit’s report, written by malware analyst Hod Gavriel, and principal software engineer Boris Erbesfeld.
With this new code injection technique, an attacker could re-use the old malware that was not detected by AV. As reported in Cyberbit said Early Bird code injection technique has been used in an array of known malware strains, including TurnedUp. The malware is variant of the notorious Carberp banking malware and DorkBot malware, researchers said. According to FireEye, which first discovered TurnedUp in September 2017, the malware is capable of data exfiltration, creating reverse shells, taking screenshots and gathering system information.
Cyberbit publishes a more detailed report on injection procedures, along with videos on YouTube.
How Early Bird Code Injection Works
According to Cyberbit, malware code injection flow starts with creating a suspended process of a legitimate Windows process. Next, it allocates and writes malicious code into that process. It then queues an asynchronous procedure call (APC) to that process. Lastly, it resumes the main thread of the process to execute the APC that is pointing to this malicious code.
Here’s a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.
– Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
– Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
– Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
– Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.
The Cyberbit write-up will now serve as a guideline for antivirus vendors, which will use the techniques described by Cyberbit to create detection rules for malware that may be trying to abuse Early Bird to hide malicious activity on infected systems.