1
00:00:00,540 --> 00:00:01,050
Hello.

2
00:00:01,470 --> 00:00:07,440
I can't do in U.S. decision, in fact, early, but ABC injection.

3
00:00:10,010 --> 00:00:16,400
Achieving camouflage by hijacking a legitimate process before it hits entry point.

4
00:00:17,360 --> 00:00:24,530
Camouflage is where it hides behind another process, taking on the icon of the target process.

5
00:00:26,910 --> 00:00:33,930
Basic concepts a malware creates a legitimate process in a suspended state.

6
00:00:34,290 --> 00:00:35,280
This is a first step.

7
00:00:36,940 --> 00:00:39,940
Then injects charcoal into it.

8
00:00:42,120 --> 00:00:46,080
And inserts a job into the threats, ABC Q.

9
00:00:48,830 --> 00:00:57,920
And finally, resumes the threat they shall execute before the procession begins in order to avoid detection

10
00:00:57,920 --> 00:01:00,830
by anti-malware house anti-malware folks.

11
00:01:01,640 --> 00:01:02,600
There was A..

12
00:01:02,930 --> 00:01:07,490
No way dots which are running in sight the software itself.

13
00:01:09,680 --> 00:01:18,620
Mechanism of early, but by injection on the left is a malware trojan with an embedded shellcode on

14
00:01:18,620 --> 00:01:23,660
the right, he's the target programmed, has not yet started running.

15
00:01:24,110 --> 00:01:26,130
It is still on the file.

16
00:01:26,660 --> 00:01:28,760
It will be started by the malware Trojan.

17
00:01:30,470 --> 00:01:35,870
So once you start it, you will have the usual threat and also APC within it.

18
00:01:36,230 --> 00:01:38,450
But at the moment it has not yet started.

19
00:01:42,070 --> 00:01:48,100
So the first step is the malware Trojan will create a process in a suspended state.

20
00:01:48,610 --> 00:01:55,840
The Mehretu General open the target program and run it, but.

21
00:01:56,810 --> 00:01:58,340
Put it in a suspended state.

22
00:01:59,060 --> 00:02:05,630
So at this point in time, the the target process is suspended as though he was a zombie.

23
00:02:06,670 --> 00:02:11,260
And he has got threats and AQAP IQ inciting.

24
00:02:16,430 --> 00:02:18,860
Second is to allocate memory.

25
00:02:20,660 --> 00:02:23,540
It does that by which, yes, API.

26
00:02:25,010 --> 00:02:28,520
And this is the educated memory in blue.

27
00:02:30,190 --> 00:02:37,570
Then you copy the shellcode to the memory using the right process, memory API function.

28
00:02:38,410 --> 00:02:40,600
And now this has been copied over.

29
00:02:43,040 --> 00:02:45,290
Next, he will jump to the queue.

30
00:02:45,320 --> 00:02:55,280
The APC queue using the queue user APC API function and now the shellcode has been added into the APC

31
00:02:55,280 --> 00:02:55,640
queue.

32
00:02:58,350 --> 00:03:04,110
Then he will resume the trip using the resume function.

33
00:03:05,100 --> 00:03:07,830
And now the trick has been resume.

34
00:03:08,280 --> 00:03:13,790
You will go to the APEC queue and they shall call in.

35
00:03:16,280 --> 00:03:24,950
So once I shall go execute, this target process is camouflaged inside it, inside.

36
00:03:25,250 --> 00:03:27,410
You have your jacket running.

37
00:03:27,800 --> 00:03:32,540
But I'll say it takes on the application icon of the target process.

38
00:03:33,800 --> 00:03:37,400
So this is the mechanism early, but hippity injection.

39
00:03:39,530 --> 00:03:45,250
Advantages and disadvantages of early, but APC injection advantages.

40
00:03:45,740 --> 00:03:53,540
Firstly, you camouflage the execution of the malicious code by hijacking a legitimate process before

41
00:03:53,540 --> 00:03:54,890
it hits the entry point.

42
00:03:56,910 --> 00:04:01,860
The remaining are the actual legitimate processes abandoned whilst the shark runs.

43
00:04:05,350 --> 00:04:14,620
So coming back to this, once the process resumes, the checkout takes over, the remaining core of

44
00:04:14,620 --> 00:04:16,930
that process never, never executes.

45
00:04:17,080 --> 00:04:17,860
He never runs.

46
00:04:23,240 --> 00:04:31,790
That he bypasses security products specifically for those functions, which are built into the software

47
00:04:31,790 --> 00:04:34,100
in order to detect malicious behavior.

48
00:04:36,370 --> 00:04:40,240
The shark executes before the process begins.

49
00:04:41,580 --> 00:04:44,370
In order to avoid detection by anti-malware, who's?

50
00:04:46,440 --> 00:04:54,230
So he runs the application icon of the commissioning process, so to a casual observer or even to antivirus,

51
00:04:54,240 --> 00:04:56,520
it appears as a legitimate process.

52
00:04:58,530 --> 00:04:59,610
The disadvantages.

53
00:05:01,030 --> 00:05:09,490
Firstly, he uses ritual and process memory, which are usually detected by Avy unless they obfuscate

54
00:05:09,490 --> 00:05:09,640
obfuscated.

55
00:05:12,730 --> 00:05:15,160
He may also occasionally crash of one exit.

56
00:05:16,660 --> 00:05:22,780
And this is quite common in this kind of APEC injection event in the Czech context injection, as well

57
00:05:22,780 --> 00:05:25,780
as all the Abbi's injections of cash in the immigration.

58
00:05:28,890 --> 00:05:29,830
Thank you for watching.

59
00:05:29,870 --> 00:05:35,070
It's all for these theoretical background on early, but ABC injection.