New ‘Early Bird’ Code Injection Technique Discovered

itman · Apr 14, 2018

This injection technique allows the injected code to run before the entry point of the main thread of the process, thereby allowing to avoid detection by anti-malware products’ hooks.

We researched a code injection technique that appeared in malware samples at the Cyberbit malware research lab. It is a simple yet powerful code injection technique. Its stealth allows execution of malicious code before the entry point of the main thread of a process, hence – it can bypass security product hooks if they are not placed before the main thread has its execution resumed. But before the execution of the code of that thread, the APC executes.

The malware code injection flow works as follows:

Create a suspended process (most likely to be a legitimate windows process)

Allocate and write malicious code into that process

Queue an asynchronous procedure call (APC) to that process

Resume the main thread of the process to execute the APC

Click to expand...

https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/

Rasheed187 · Apr 14, 2018

Yes, this was already mentioned in another thread. Quite clever new technique, if I understood it correctly. Especially because it bypasses hooks of security products. I already asked if it's possible for a product like EXE Radar to simply block processes from starting child processes in suspended state, the developer will look into it.

Log in or Sign up

New ‘Early Bird’ Code Injection Technique Discovered

itman Registered Member

Rasheed187 Registered Member

Log in or Sign up

New ‘Early Bird’ Code Injection Technique Discovered

itman Registered Member

Rasheed187 Registered Member

Useful Searches