Process hollowing takes a trusted application, such as explorer.exe or svchost.exe, and loads it onto the system in a suspended state to act as a container for hostile code. Since the malicious code’s execution is masked under a legitimate process, it evades detection by less advanced security solutions.
Early Bird code injection takes advantage of the application threading process that happens when a program executes on a computer. The attack loads malicious code in an early stage of the thread initialization, before many security solutions set their hooks, allowing the malware to act undetected.
Asynchronous procedure call (APC) is a Windows function that can redirect a thread from its normal execution path to execute something else. By injecting into that call, attackers can use it to run their malicious code.
Eric Doerr, vice president of Microsoft Cloud Security, said companies need better visibility into their assets and exposure to the internet, regardless if they run in multi-cloud or hybrid cloud environments.