The newly devised Mockingjay process injection technique can evade most existing security mechanisms, allowing EDR bypass. It’s a trivial process to carry out, requires minimal steps, and delivers maximum results merely by exploiting legit DLLs.
Researcher Devised Mockingjay Process Injection Technique
According to a recent post from Security Joes, Mockingjay is an advanced process injection strategy that successfully bypasses most detection measures.
Process injection is a known attack strategy where an adversary may inject codes directly into a trusted running process. Some process injection types include Dynamic-link Library Injection and Process Doppelgänging. The aim is to escape detection while gaining access to the process memory and network resources and gain elevate privileges.
While it’s a viable technique, process injection involves some specific actions, such as interacting with Windows APIs, that most existing EDR (Endpoint Detection and Response) systems effectively monitor. That’s where Mockingjay becomes important as it allows evading such EDRs. That’s because Mockingjay doesn’t rely on Windows APIs; but instead uses legitimate DLLs RWX (read, write, execute) sections.
Describing Mockingjay, the post reads,
Our unique approach, which involves leveraging a vulnerable DLL and copying code to the appropriate section, allowed us to inject code without memory allocation, permission setting, or even starting a thread in the targeted process.
Briefly, the researchers demonstrated their attack strategy via the vulnerable DLL msys-2.0.dll inside Visual Studio 2022 Community. The team searched for this DLL and found it possessed the default RWX section they could exploit. They then loaded this DLL into the memory space of their custom apps to load and execute the injected code.
The attack happened entirely without Windows API use, demonstrating the efficiency of bypassing EDRs. Moreover, it didn’t require memory allocation, permission settings, or creating threads for code execution.
The researchers have shared the details about Mockingjay in their post, whereas the following video demonstrates the technique.
Suggested Remediation
Since Mockingjay indicates the inefficiency of existing endpoint protection measures, the researchers advise the organizations to implement dynamic analysis for analyzing runtime behaviors, identify anomalous activities, employ signature-based detection for known threats, deploy reputation-based filtering to flag suspicious activities, and ensure robust memory protection.
Let us know your thoughts in the comments.