While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird, being used by at least three different sophisticated malware that helped attackers evade detection.
As its name suggests, Early Bird is a “simple yet powerful” technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.
The Early Bird code injection technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected,” the researchers said.
The technique is similar to the AtomBombing code injection technique that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.
How Early Bird Code Injection Works
Early Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.
Here’s a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.
- Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
- Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
- Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
- Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.
According to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.
- “TurnedUp” backdoor, developed by an Iranian hacking group (APT33)
- A variant of “Carberp” banking malware
- “DorkBot” malware
Initially discovered by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.
Dates back to 2012, DorBot is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users’ credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims’ computers.
Researchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.