So what’s code injection and why is it dangerous? In terms of a malware exploit, code injection is performed by an attacker to make a legitimate application do something it shouldn’t. Attackers place or inject code into an application or process to subvert its normal activity and makes it perform tasks that will benefit the attacker. This is dangerous because the application can then be manipulated to give the attacker full control over a victim’s computer or other device.
Code injection is rapidly becoming the preferred attack vector because it offers more benefits to an attacker. The 2018 IBM threat intelligence report shows that code injection increased alarmingly in 2017, composing more than 79% of all attacks.
This post will outline several recent exploits that use a variety of code injection techniques to target victims. These are the FakeUpdate campaign, Smoke Loader malware, and the Early Bird technique.
The FakeUpdate Campaign
The FakeUpdate campaign began last December and has been rapidly increasing ever since. For whatever reason (phishing email, redirection), you may end up on one of the campaign’s infected, but valid, websites. Most of these sites have been abandoned or are simply outdated. Upon arriving at the site, the malicious code will analyze what browser you are using and then tell you it’s time to update it. The popup will look legitimate as in the following example.
You are told to update the file from a legitimate looking Dropbox account. However, if you look at the URL, you will see the site in which the malicious code was injected. Here is that compromised site, as exposed by Malwarebytes.
This exploit will only send you to a specific infected site only once so as to avoid detection. Accepting the ‘update’ above will download a file onto your device which will connect to the C&C server and receive instructions. The exploit has the ability to detect and avoid sandboxes. If the exploit is successful, banking malware (Chtonic, ZeusVM) will be installed on your device. Some of the infections installed RATs (Remote Access Trojans), which will give total control of your device to the attacker.
The campaign targets Firefox and Chrome browsers through fake updates, while Internet Explorer users are targeted through Flash Player updates. Thousands of sites are said to be infected. Normal browsing precautions should subvert these attacks. In other words, check out any URLs you are being directed to.
Smoke Loader Malware
In March, within a 12 hour period, Windows Defender found 400,000 computers infected with Smoke Loader malware (aka Dofoil). Smoke Loader is designed to take over computers in order to mine cryptocurrencies. Windows Defender quickly undermined the attackers, but they returned with upgraded attacks shortly thereafter. Smoke Loader injects its code into explorer.exe, which loads Windows Explorer.
Last year, one of the big tech stories concerned flaws in Intel and other chips. Smoke Loader has been known to take advantage of this by masquerading as a patch for that problem. Victims may be led to a site that tells them to download the “Intel-AMD-SecurityPatch-11-01bsi.zip”. Downloading and running the included “Intel-AMD-SecurityPatch-10-1-v1.exe” will install the malware. The site the malware is stored on will often be an HTTPS site constructed by the criminals, which many users may assume is safe. But cheap certificates are easy to come by. It should be kept in mind that any news event can be manipulated to trick victims into downloading malware.
Cryptocurrency mining malware has rapidly grown in popularity among criminals. The malware enslaves a group of computers, devices, or things and has them work for the attackers on producing new coins by solving complex algorithms. Since mining requires huge amounts of power, the attackers want the owners of these compromised computers to absorb the electricity costs. So, in addition to sudden increases in their electric bills, victims may notice that their devices have suddenly slowed down. In the case of cryptocurrency mining malware, it is in the perpetrators’ best interest to remain undiscovered. They will want to slow, but not stop, the devices the mining malware is running on.
The Early Bird Technique
In this technique, code is injected into legitimate processes that start before any antivirus software starts running. It thereby avoids detection by these programs since the antivirus programs only see legitimate processes running. The malware within these processes can be installed without being detected. The legitimate processes normally targeted were exporer.exe, svchost.exe, and rundll32.exe. The injected malware will remain persistent after reboot by writing a registry key.
This is more sophisticated than normal exploits and Cyberbit, the firm that exposed the technique, suggests connections with the government-backed Iranian hacker group, APT33. This is disconcerting because APT33 has been known to target the aerospace and energy sectors.
How does APT33 get the Early Bird technique into devices in the first place? In the past, the group specialized in spear phishing employees in the firms or organizations they wanted to target. These employees were apparently sent emails concerning potential jobs in their fields. The emails contained links to HTML files with legitimate job ads but with malicious code injected. Visiting such sites would install the Early Bird attack vector, which would, in turn, install whatever malware the attackers wanted to use. If this is, indeed, an attack vector being used by APT33, then the goal of the malware would be to use the compromised employee device to access the corporate network and steal information. If, however, Early Bird is being used by other attackers, this technique can be used to install anything from banking malware to RATs.
The Future of Code Injection
Some code is routinely injected into browsers by antivirus programs to stop malicious actions. However, leaving this door open gives attackers a potential entry point that can be exploited for evil purposes. For this reason, Google will prevent all third party code injection by January, 2019. Expect other browser makers to follow this example and expect attackers to find ways to circumvent this. That’s just the way it is.