In the rapidly evolving landscape of cybersecurity threats, a highly advanced process injection technique called "Mockingjay" has emerged, posing a significant challenge to conventional security measures like Endpoint Detection and Response (EDR). This blog aims to delve into the intricacies of Mockingjay, its capability to bypass EDR detection, and the implications it holds for organizations. By gaining a comprehensive understanding of this advanced technique, businesses can adopt a holistic security approach to effectively counter the evolving threat landscape.
The Mockingjay Technique:
Recently discovered by the cybersecurity firm Security Joes, the Mockingjay process injection technique leverages legitimate Dynamic Link Libraries (DLLs) with read, write, and execute (RWX) sections to silently inject malicious code into remote processes, thereby evading EDR hooks and other security products. DLLs are files that contain reusable code and data which multiple programs can simultaneously use. What sets Mockingjay apart from other approaches is its ingenious avoidance of commonly abused Windows API calls, special permissions, memory allocation, and thread initiation. By bypassing these typical detection opportunities, Mockingjay establishes a robust and reliable environment for executing its injection technique without detection.
Development of Mockingjay:
The dedicated researchers at Security Joes embarked on a mission to identify a vulnerable DLL with a default RWX section that could be modified to load malicious code without raising suspicion from security software. Their investigation led them to the DLL msys-2.0.dll within Visual Studio 2022 Community, which boasted a default RWX section of 16 KB.
To implement the Mockingjay technique, the team developed two injection methods: self-injection and remote process injection. In the case of self-injection, a custom application called "nightmare.exe" loads the vulnerable DLL directly into its memory space, exploiting two Windows API calls ("NtAllocateVirtualMemory" and "NtWriteVirtualMemory") to gain access to the RWX section without the need for memory allocation or permission changes. This injection method bypasses EDR hooks using the "Hell's Gate EDR unhooking" technique, allowing the injected shellcode to execute without detection.
The second method involves exploiting the RWX section of msys-2.0.dll to inject a payload into a remote process, specifically targeting the "ssh.exe" process. The custom application launches "ssh.exe" as a child process, establishes a handle to the target process, and injects the malicious code into the RWX memory space of the vulnerable DLL. The injected shellcode then loads the "MyLibrary.dll" DLL file, enabling the establishment of a reverse shell connection with the attacker's machine. Notably, this remote injection attack successfully evades EDR solutions without requiring new thread creation, memory allocation, or permission changes.
Why Mockingjay Eludes Detection:
Mockingjay's effectiveness lies in its ability to operate covertly, evading traditional EDR solutions. While EDRs typically monitor Windows APIs such as 'WriteProcessMemory,' 'NtWriteVirtualMemory,' 'CreateRemoteThread,' or 'NtCreateThreadEx,' which are commonly invoked in traditional process injection attacks, Mockingjay avoids triggering these typical alarms. By sidestepping the usual detection mechanisms, Mockingjay significantly reduces the likelihood of raising suspicion.
Examples of Process Injection Techniques:
Process injection techniques include DLL injection, PE (portable executable) injection, reflective DLL injection, thread execution hijacking, process hollowing, mapping injection, APC (asynchronous procedure call) injection, and more. These techniques exploit vulnerabilities in the target process to inject malicious code and execute it within the context of a legitimate process, bypassing security measures.
The emergence of Mockingjay as a highly sophisticated process injection technique underscores the urgent need for organizations to adopt a comprehensive security approach. Relying solely on traditional EDR solutions is no longer sufficient in the face of advanced threats like Mockingjay. At Armoryze, we recognize the evolving cybersecurity landscape and offer Managed Detection and Response (MDR) services that go beyond standard measures. Our team of experts is equipped to protect your organization from the ever-changing threat landscape.
Don't leave your business vulnerable to sophisticated attacks. Schedule a FREE consultation with Armoryze today and take proactive steps to fortify your security defenses. With our advanced MDR services, you can gain peace of mind knowing that your systems are continuously monitored, threats are detected in real-time, and swift action is taken to mitigate risks. Stay one step ahead of cybercriminals--contact us now and secure the future of your organization.