Researchers have identified what they are calling an Early Bird code injection technique used by the Iranian group APT33 to burrow the TurnedUp malware inside infected systems while evading anti-malware tools.
The Early Bird code injection technique, highlighted in a Wednesday report by Cyberbit, takes advantage of the application threading process that happens when a program executes on a computer. In other words, attackers inject malware code into legitimate process threads in an effort to hide malicious code inside commonly seen and legitimate computer processes.
This process injection method is not unique. Anti-malware tools have created a technique called hooking that can easily spot when this type of technique is used by an adversary.
“Hooks are code sections that are inserted by legitimate anti-malware products when a process starts running. They are placed on specific Windows API calls. The goal of the hooks is to monitor API calls with their parameters to find malicious calls or call patterns,” Cyberbit explains.
To avoid this hooking, Cyberbit said, APT33 cybercriminals have created an Early Bird technique to circumvent the anti-malware hooking process.
The Early Bird technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” said Cyberbit’s report, written by malware analyst Hod Gavriel, and principal software engineer Boris Erbesfeld.
Cyberbit said Early Bird code injection technique has been used in an array of known malware strains, including TurnedUp. The malware is variant of the notorious Carberp banking malware and DorkBot malware, researchers said. According to FireEye, which first discovered TurnedUp in September 2017, the malware is capable of data exfiltration, creating reverse shells, taking screenshots and gathering system information.
According to Cyberbit, malware code injection flow starts with creating a suspended process of a legitimate Windows process. Next, it allocates and writes malicious code into that process. It then queues an asynchronous procedure call (APC) to that process. Lastly, it resumes the main thread of the process to execute the APC that is pointing to this malicious code.
“During the initialization phase of the main thread (Right after the call to NtResumeThread), a function called NtTestAlert checks the APC queue. If the APC queue is not empty – NtTestAlert will notify the kernel which in return jump to KiUserApcDispatcher which will execute the APC. The code of the main thread itself will not execute until the code of the APC is finished executing,” the company said in an email interview.
“Before returning to user-mode, the kernel prepares the user-mode thread to jump to KiUserApcDispatcher which will execute the malicious code in our case,” researchers wrote.
The Early Bird technique is similar to many injection techniques such as AtomBombing. AtomBombing is a different approach to code injection that also doesn’t rely on easy-to-spot API calls. The AtomBombing technique, first spotted in October 2016 by enSilo researchers, allows malware to inject code into processes, sans API calls.
However, AtomBombing aimed to hide the injection, while Early Bird aims to hide the malicious actions executed post-injection, said researchers.