U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools

The Iran-linked APT33 group continues to be very active, security researchers at Cyberbit have discovered an Early Bird code injection technique used by the group. The Early Bird method was used to inject the TurnedUp malware into the infected systems evading security solutions. The technique allows injecting a malicious code into a legitimate process, it allows execution […]

APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools

The Iran-linked APT33 group continues to be very active, security researchers at Cyberbit have discovered an Early Bird code injection technique used by the group.

The Early Bird method was used to inject the TurnedUp malware into the infected systems evading security solutions.

The technique allows injecting a malicious code into a legitimate process, it allows execution of malware before the entry point of the main thread of a process.

“We saw this technique used by various malware. Among them – the “TurnedUp” backdoor written by APT33 – An Iranian hackers group, A variant of the notorious “Carberp” banking malware and by the DorkBot malware.” reads the analysis published by the experts.

“The malware code injection flow works as follows:

  1. Create a suspended process (most likely to be a legitimate windows process)
  2. Allocate and write malicious code into that process
  3. Queue an asynchronous procedure call (APC) to that process
  4. Resume the main thread of the process to execute the APC”

Anti-malware tools insert hooks when a process starts running, the code sections placed on specific Windows API calls allows security solution to detect the threats while invoking the API.

APT33 Early Bird technique allows bypassing the anti-malware hooking mechanism.

The Early Bird technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” continues the analysis published by Cyberbit.

Experts noticed that during the initialization phase of the main thread, immediately after the call to NtResumeThread, a function called NtTestAlert checks the APC queue to delay the code of the main threat until the APC code is finished.

“During the initialization phase of the main thread (Right after the call to NtResumeThread), a function called NtTestAlert checks the APC queue. If the APC queue is not empty – NtTestAlert will notify the kernel which in return jump to KiUserApcDispatcher which will execute the APC. The code of the main thread itself will not execute until the code of the APC is finished executing,” continues the analysis.

“Before returning to user-mode, the kernel prepares the user-mode thread to jump to KiUserApcDispatcher which will execute the malicious code in our case,” 

early bird injection

Differently from other methods, the Early Bird technique aims to hide the malicious actions executed post-injection.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Early Bird code injection, APT33)

[adrotate banner=”5″]

[adrotate banner=”13″]