Early Bird

Security researchers have discovered at least three malware strains using a new code injection technique that allowed them to avoid antivirus detection.

They named the technique "Early Bird" because its mode of operation relies on using legitimate Windows OS functions to inject malicious code inside application processes before the actual app process starts and anti-malware products hook into the process to scan for malicious behavior.

Security researchers from Cyberbit, a cyber-security firm based in Ra’anana, Israel, say they found the technique while analyzing the TurnedUp backdoor, a malware strain used by APT33, a suspected Iranian cyber-espionage group.

Later, researchers found that the DorkBot malware downloader and the Carberp malware used in hacks at financial institutions were also using the Early Bird technique.

Cyberbit published a report yesterday with the finer details of the injection process, along with a YouTube video.

Creating new legitimate process, suspending the process, and injecting code as early as possible is not actually a new approach to code injection. What makes Early Bird different is the OS functions abused to make this happen.

The Cyberbit write-up will now serve as a guideline for antivirus vendors, which will use the techniques described by Cyberbit to create detection rules for malware that may be trying to abuse Early Bird to hide malicious activity on infected systems.

Early Bird code injection technique

Related Articles:

PROPagate Code Injection Technique Detected in the Wild for the First Time

75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers

5 Examples of How Cheating in Fortnite Gets You Infected

Massive Malvertising Campaign Discovered Attempting 40,000 Infections per Week

Android Apps Infected With Windows Keylogger Removed From Google Play Store