New Mockingjay Process Injection Technique: Evading Detection Made Possible

Mockingjay Process Injection Technique
Mockingjay Process Injection Technique
A groundbreaking process injection technique called Mockingjay has emerged, enabling threat actors to evade detection by security solutions and execute malicious code on compromised systems actively.

Security Joes researchers Thiago Peixoto, Felipe Duarte, and Ido Naor shared in a report that Mockingjay accomplishes injection without the need for space allocation, permission settings, or thread initiation. Instead, it relies on a vulnerable DLL and code replication to the appropriate section.

Process injection, an attack method used to bypass process-based defenses and gain elevated privileges, allows adversaries to inject code into processes. This method permits the execution of arbitrary code within the memory space of a separate live process.

Notable process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelganging, among others.

It is important to note that each of these methods requires a combination of specific system calls and Windows APIs. These requirements enable defenders to develop effective detection and mitigation procedures.

New Mockingjay Process Injection Technique

New Mockingjay Process Injection Technique

What sets Mockingjay apart is its ability to subvert these security layers by eliminating the need to execute memory block protected with Read-Write-Execute (RWX) permissions.

For this purpose, the technique utilizes msys-2.0.dll, which offers an ample 16 KB of available RWX space. This DLL serves as an ideal candidate for loading malicious code and evading detection. However, it’s worth mentioning that other susceptible DLLs with similar characteristics may also exist.

The Israeli company behind Mockingjay explored two different methods, namely self-injection and remote process injection, to achieve code injection while enhancing attack efficiency and evading detection.

In the self-injection approach, a custom application directly loads the vulnerable DLL into its address space and subsequently executes the desired code using the RWX section. On the other hand, remote process injection involves leveraging the RWX section in the vulnerable DLL to inject code into a remote process, such as ssh.exe.

The uniqueness of this technique lies in the fact that there is no need to allocate memory, set permissions, or create a new thread within the target process to initiate the execution of our injected code. This distinction sets this strategy apart from existing techniques, making it challenging for Endpoint Detection and Response (EDR) systems to detect this method effectively.researchers

These findings arrive shortly after cybersecurity firm SpecterOps unveiled a new method that exploits ClickOnce, a legitimate Visual Studio deployment technology. This technique enables adversaries to achieve arbitrary code execution and gain initial access.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
New Mockingjay process injection technique evades EDR detection
New Mockingjay process injection technique evades EDR detection
Discover the groundbreaking Mockingjay process injection technique, enabling undetected execution of malicious code. Learn how it bypasses security measures without memory allocation or permission settings. Explore its unique use of vulnerable DLLs and replication of code. Uncover the self-injection and remote process injection approaches for improved attack efficiency and evasion. Stay informed about cybersecurity developments, including the exploitation of ClickOnce for arbitrary code execution.

About the author

Volodymyr Krasnogolovy

I'm a journalist, cybersecurity specialist, content manager, copywriter, and photojournalist. With a deep passion for cybersecurity and a diverse skill set, I'm excited to share my expertise through this blog. From researching the latest threats to crafting engaging narratives and capturing powerful visuals, I strive to provide valuable insights and raise awareness about the importance of cybersecurity.

Leave a Reply