APT33 devised a code injection technique dubbed Early Bird to evade detection by anti-malware tools
13.4.2018 securityaffairs APT
The Iran-linked APT33 group continues to be very active, security researchers at Cyberbit have discovered an Early Bird code injection technique used by the group.
The Early Bird method was used to inject the TurnedUp malware into the infected systems evading security solutions.
The technique allows injecting a malicious code into a legitimate process, it allows execution of malware before the entry point of the main thread of a process.
“We saw this technique used by various malware. Among them – the “TurnedUp” backdoor written by APT33 – An Iranian hackers group, A variant of the notorious “Carberp” banking malware and by the DorkBot malware.” reads the analysis published by the experts.
“The malware code injection flow works as follows:
Create a suspended process (most likely to be a legitimate windows process)
Allocate and write malicious code into that process
Queue an asynchronous procedure call (APC) to that process
Resume the main thread of the process to execute the APC”
Anti-malware tools insert hooks when a process starts running, the code sections placed on specific Windows API calls allows security solution to detect the threats while invoking the API.
APT33 Early Bird technique allows bypassing the anti-malware hooking mechanism.
The Early Bird technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks – which allows the malware to perform its malicious actions without being detected,” continues the analysis published by Cyberbit.
Experts noticed that during the initialization phase of the main thread, immediately after the call to NtResumeThread, a function called NtTestAlert checks the APC queue to delay the code of the main threat until the APC code is finished.
“During the initialization phase of the main thread (Right after the call to NtResumeThread), a function called NtTestAlert checks the APC queue. If the APC queue is not empty – NtTestAlert will notify the kernel which in return jump to KiUserApcDispatcher which will execute the APC. The code of the main thread itself will not execute until the code of the APC is finished executing,” continues the analysis.
“Before returning to user-mode, the kernel prepares the user-mode thread to jump to KiUserApcDispatcher which will execute the malicious code in our case,”
Differently from other methods, the Early Bird technique aims to hide the malicious actions executed post-injection.
The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.