New ‘Early Bird’ code injection technique helps malware evade detection
Target: Windows Users
Attack Vector: Code injection
Summary: Security researchers have discovered at least three malware strains used by the Iranian group APT33 who are using a new code injection technique that allowed them to burrow the TurnedUp malware inside infected systems to avoid antivirus detection. The code injection technique dubbed EarlyBird takes advantage of the application threading process that happens when a program executes on a computer meaning their aim is to inject malware code into legitimate process threads in attempt to hide malicious code inside commonly seen legitimate computer processes. Researchers have found that the EarlyBird technique has been used in various malware campaigns including DorkBot malware downloader, the Carbep malware and the TurnedUp backdoor written by the APT33 Iranian hacker group.
Risk assessment summary: The threat is assessed as 3e MODERATE. If successful, this code injection technique can burrow malware inside infected systems without being detected by the systems antivirus and can therefore lie low for a while. The risk is also heightened as the malware targets legitimate Windows OS functions. However, a technique called hooking has been introduced by anti-malware tools that can subsequently spot when this type of technique is being used.