A new code injection technique dubbed “Early Bird” has been uncovered, allowing the execution of malicious code before the entry point of the main thread of a process, bypassing security product hooks.
The technique appeared in malware samples at the Cyberbit malware research lab. Researchers said in an analysis that they observed the technique used by various malware, including a variant of the notorious Carberp banking malware, the DorkBot malware and the TurnedUp backdoor written by the APT33 Iranian hacker group.
On a technical front, Early Bird starts with a .net sample deobfuscating itself, then performing process-hollowing and filling the hollowed process with a native Windows image.
“The native Windows image injects into the explorer.exe process,” researchers explained. “The payload inside explorer.exe creates a suspended process – svchost.exe – and injects into it.”
In and of themselves, these steps are nothing new: Common legitimate Windows processes are among malwares’ favorite choices (svchost.exe, for instance, is a Windows process designated to host services).
But the technique becomes interesting in the next step: After creating the process, researchers observed the malware allocating memory within it, writing a code in the allocated memory region.
“The thread has not even started its execution since the process was created in a suspended state,” researchers said. They added, “It loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” they explained
Early Bird allows malware to be very stealthy indeed: As of March 20, this payload was signed by only 29 out of 62 anti-malware vendors. The original sample, which dates back to 2014, was signed by 47 out of 62 vendors.