Code Injection Technique “Early Bird”

Code Injection Technique “Early Bird”

Security researchers have discovered at least three new malware strains using a new code injection technique that allowed them to evade antivirus detection.code injection

They have named the technique “Early Bird” because its mode of operation relies on using legit Windows OS functions to inject malicious code inside application processes before the actual application process starts and anti-malware products hook into the process to scan for malicious behavior.

Security researchers from Cyberbit, a cyber-security firm based in Ra’anana, Israel, say they discovered the technique while analyzing the TurnedUp backdoor, a malware strain used by APT33, a suspected Iranian cyber-espionage group.

Later on, researchers found that the DorkBot malware downloader and the Carberp malware used in hacks at financial institutions were also using the “Early Bird” technique.

Cyberbit published a report a few days ago with the details of the injection process, along with a YouTube video (below).

Creating new legitimate process, suspending the process, and then injecting code as early as possible is not actually a new approach to code injection.

What makes Early Bird different is the OS functions that were abused to make this happen.

The Cyberbit report will now serve as a guideline for antivirus vendors, which will use the techniques described by Cyberbit to create detection rules for malware that may be trying to abuse “Early Bird” to hide malicious activity on the infected systems.

Olé Crypto,


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.