Researchers have identified an Early Bird code injection technique used by the Iranian group APT33 to install the TurnedUp malware inside infected systems while evading almost every cybersecurity solution.
The Early Bird code injection technique consists in taking advantage of an application threading process that happens when a program executes on a computer. Put simply: cybercriminals inject malware code into legitimate process threads to hide their malicious code inside legitimate computer processes.
This technique of injection is not unique. Many anti-malware tools have implemented a method called hooking that can quickly detect when an adversary uses this type of injection.
To avoid hooking APT33 cybercriminals have created an Early Bird technique to circumvent the anti-malware hooking process.
To be safe and secured you must implement a viable and robust cybersecurity solution, for an individual, the best cybersecurity solution comes in the form of antivirus for Windows or antivirus for Mac depending on which OS their device is running. For companies, the step previously presented represents only the first layer of cybersecurity, to obtain the best cybersecurity measure every company must hire a cybersecurity firm that will attack purpose company’s network to reveal the most destructive and dangerous flaws.
The Early Bird technique loads the malicious code in a very early stage of thread initialization before many security products place their hooks and this allows the malware to perform its malicious actions without being detected.
After multiple malware analysis, it was found out that Early Bird code injection technique has been used in an array of known malware strains, including TurnedUp.
TurnedUp is variant of the notorious Carberp banking malware and DorkBot malware and is capable of data exfiltration, creating reverse shells, taking screenshots and gathering system information.
This cybersecurity threat, TurnedUp, code injection flow starts with creating a suspended process of a legitimate Windows process. Next, it allocates and writes malicious code into that process. It then queues an asynchronous procedure call (APC) to that process. Lastly, it resumes the main thread of the process to execute the APC that is pointing to this malicious code.
The Early Bird technique is similar to many injection techniques such as AtomBombing. AtomBombing technique was first spotted in October 2016. AtomBombing is different because is aiming to hide the injection, while Early Bird aims to hide the malicious actions executed by post-injection.
We recommend the implementing of a robust cybersecurity solution into your devices like an antivirus for Windows or antivirus for Mac depending on which OS are your machines running.
It is also recommended for every company to hire specialized cybersecurity firms that will perform various tests like a penetration test and various ethical hacking tests to reveal audited company network flaws.
For companies that are operating their activity 100% online, we recommend the using of cyber-secured web hosting services.