{"id":4484,"date":"2018-04-15T19:42:23","date_gmt":"2018-04-15T14:12:23","guid":{"rendered":"https:\/\/qadit.com\/blog\/?p=4484"},"modified":"2018-04-15T19:42:23","modified_gmt":"2018-04-15T14:12:23","slug":"hackers-found-using-a-new-code-injection-technique-to-evade-detection-2","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/hackers-found-using-a-new-code-injection-technique-to-evade-detection-2\/","title":{"rendered":"Hackers Found Using A New Code Injection Technique to Evade Detection"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-BxrbeHXxjRk\/WtDgutv_p_I\/AAAAAAAAwOg\/Q-DL8cB6IbIkeQSF0x-BPdJ3cB51wd1ngCLcBGAs\/s1600-e20\/early-bird-code-injection-technique.png\" title=\"Hackers Found Using A New Code Injection Technique to Evade Detection\"><\/p>\n<div>\n<div dir=\"ltr\">\n<p>\nWhile performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed <\/p>\n<p><b>Early Bird<\/b><\/p>\n<p>, being used by at least three different sophisticated malware that helped attackers evade detection.\n<\/p>\n<p>\nAs its name suggests, Early Bird is a &#8220;simple yet powerful&#8221; technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.\n<\/p>\n<p>\nThe <\/p>\n<p><a href=\"https:\/\/www.cyberbit.com\/blog\/endpoint-security\/new-early-bird-code-injection-technique-discovered\/\" rel=\"nofollow\" target=\"_blank\">Early Bird<\/a><\/p>\n<p> code injection technique &#8220;loads the malicious code in a very early stage of thread initialization, before many security products place their hooks\u2014which allows the malware to perform its malicious actions without being detected,&#8221; the researchers said.\n<\/p>\n<p>\nThe technique is similar to the <\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2017\/03\/dridex-atombombing-malware.html\" target=\"_blank\">AtomBombing code injection technique<\/a><\/p>\n<p> that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.<\/p>\n<h3>\nHow Early Bird Code Injection Works<\/h3>\n<p class=\"video-container\">\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"525\" height=\"296\" src=\"https:\/\/www.youtube.com\/embed\/_sI76NLPMjI?version=3&#038;rel=0&#038;showsearch=0&#038;showinfo=0&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span><\/p>\n<p>\nEarly Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.\n<\/p>\n<p>\nHere&#8217;s a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.<\/p>\n<ul>\n<li>Create a suspended process of a legitimate Windows process (e.g., svchost.exe)<\/li>\n<li>Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,<\/li>\n<li>Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),<\/li>\n<li>Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.<\/li>\n<\/ul>\n<p>\nAccording to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.<\/p>\n<\/p>\n<ul>\n<li>&#8220;TurnedUp&#8221; backdoor, developed by an Iranian hacking group (APT33)<\/li>\n<li>A variant of &#8220;Carberp&#8221; banking malware<\/li>\n<li>&#8220;DorkBot&#8221; malware<\/li>\n<\/ul>\n<p>\nInitially <\/p>\n<p><a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2017\/09\/apt33-insights-into-iranian-cyber-espionage.html\" rel=\"nofollow\" target=\"_blank\">discovered<\/a><\/p>\n<p> by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.\n<\/p>\n<p>\nDates back to 2012, <\/p>\n<p><a href=\"https:\/\/research.checkpoint.com\/dorkbot-an-investigation\/\" rel=\"nofollow\" target=\"_blank\">DorBot<\/a><\/p>\n<p> is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users&#8217; credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims&#8217; computers.\n<\/p>\n<p>\nResearchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.<\/p>\n<\/div>\n<\/div>\n<p><b>Read the Full Article here: <a href=\"https:\/\/thehackernews.com\/\">&gt;The Hacker News [ THN ]<\/a><\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird , being used by at least three different sophisticated malware that helped attackers evade detection. As its name suggests, Early Bird is a &#8220;simple yet powerful&#8221; technique that allows attackers to inject malicious code &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/qadit.com\/blog\/hackers-found-using-a-new-code-injection-technique-to-evade-detection-2\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Hackers Found Using A New Code Injection Technique to Evade Detection&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[12],"tags":[293],"class_list":["post-4484","post","type-post","status-publish","format-standard","hentry","category-itsec","tag-wonder-information"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-1ak","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=4484"}],"version-history":[{"count":1,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4484\/revisions"}],"predecessor-version":[{"id":4485,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4484\/revisions\/4485"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=4484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=4484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=4484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}