The security company Cyberbit has identified three cases of a new code injection technique, dubbed “Early Bird”. The name of this technique is based on how the different malwares that utilize it operate. The malware will inject malicious code into a legitimate suspended process on the victim’s computer and then make a call for the operating system to run the process, which executes the malicious code. This allows the malware to run it’s commands under the cover of a program the system already trusts.
What makes this technique unique though is that the malware using Early Bird will load it’s malicious code early on in the initialization of a process. Because of this, most anti-malware programs are unable to detect the malicious code in time to prevent it from executing. Because of the API calls the technique makes use of, malware that can take advantage of this code injection is limited to affecting hosts running the Windows operating system.
The Early Bird code injection technique was found in several samples of malware, the most notable of which is a backdoor called “TurnedUp“, accredited to the Iranian hacker group APT33. Other malware discovered to be using this technique include a variant of banking malware known as “Carberp”, and “DorkBot“, a general purpose malware that can download instructions for conducting bot-net style attacks and stealing user passwords.