Delaware, USA – April 13, 2018 – Attackers from the Iranian grouping APT33 leverage a new technique to inject malicious code into legitimate processes. Researchers from Cyberbit dubbed this technique ‘Early Bird’. Previously, none of the attackers leveraged this technique, and the malware used allowed to link the latest attacks with the APT33 group. Most malware detection tools track attempts to inject malicious code into processes but the new technique allows adversaries to hide the presence and activity of malicious code from them. To do this, it is necessary to create a suspended legitimate process, then inject the malicious code into that process and queue asynchronous procedure call to the process. After that, the process will resume and will be checked by an antimalware solution, which after these actions cannot detect injected malicious code. Attackers already use this technique to infect systems with TurnedUp backdoor, banking malware from the Carberp family and DorkBot downloader. The APT33 group is active since at least 2013, their primary operations are cyber espionage campaigns against organizations in government, defense and financial sectors.
Researchers do not reveal the details of the initial delivery vector, but according to past campaigns, APT33 leverages social engineering and spear phishing. Despite the fact that the “Early Bird” technique is difficult to track, malicious activity leaves traces in the system. To identify them, you can use content from Threat Detection Marketplace – Sysmon Framework and Threat Hunting Framework that provide SIEM administrator with the necessary information to investigate suspicious activity.