A new technique dubbed “ ” has been uncovered, allowing the execution of malicious code before the entry point of the main thread of a process, bypassing product hooks.

The technique appeared in malware samples at the Cyberbit malware research lab. Researchers said in an analysis that they observed the technique used by various malware, including a variant of the notorious Carberp banking malware, the DorkBot malware and the TurnedUp backdoor written by the APT33 Iranian hacker group.

On a technical front, Early Bird starts with a .net sample deobfuscating itself, then performing process-hollowing and filling the hollowed process with a native Windows image.

“The native Windows image injects into the explorer.exe process,” researchers explained. “The payload inside explorer.exe creates a suspended process – svchost.exe – and injects into it.”

In and of themselves, these steps are nothing new: Common legitimate Windows processes are among malwares’ favorite choices (svchost.exe, for instance, is a Windows process designated to host services).

But the technique becomes interesting in the next step: After creating the process, researchers observed the malware allocating memory within it, writing a code in the allocated memory region.

“The thread has not even started its execution since the process was created in a suspended state,” researchers said. They added, “It loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” they explained

Early Bird allows malware to be very stealthy indeed: As of March 20, this payload was signed by only out of 62 anti-malware vendors. The original sample, which dates back to 2014, was signed by 47 out of 62 vendors.

Source link


Please enter your comment!
Please enter your name here