Security Joes researchers have detailed a new process injection technique called “Mockingjay” that could be used by threat actors to bypass Endpoint detection and response (EDR) solutions to execute malicious code on compromised systems.
Process injection is a technique that enables a threat actor to inject malicious code into the memory space of a process, hide the injected code and evade detection. To accomplish this in a Windows environment, attackers rely on a combination of Windows APIs, each serving a specific purpose and following a specific order in the injection process.
Over the years, multiple process injection techniques had been detailed by security researchers such as DLL injection, PE (portable executable) injection, reflective DLL injection, thread execution hijacking, process hollowing, mapping injection, APC (asynchronous procedure call) injection, and others.
Mockingjay leverages dynamic link libraries (DLLs) with default read, write, and execute (RWX) permissions to push code into the address space of a running process. The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section. It also differs from other approaches in that that it doesn’t use commonly exploited Windows APIs.
“We explored trusted Windows libraries that already contain sections with default protections set as RWX (Read-Write-Execute). By misusing these libraries, we were able to successfully inject code into various processes and eliminate the need to execute several Windows APIs usually monitored by security solutions,” the researchers wrote in a blog post. “This approach reduces the likelihood of detection by defense software, as our application does not directly invoke Windows APIs typically associated with process injection techniques.”
Security Joes tested two different techniques - self-injection and remote process injection - aiming to optimize code injection and increase the attack's efficiency and potentially evade detection.
The first method involves a custom application, which loads the vulnerable DLL directly into its memory space using two Windows API calls, granting it direct access to the RWX section without performing memory allocation or setting the permissions.
The second approach uses the RWX section in the vulnerable DLL to perform process injection in a remote process. This requires identifying non-malicious binaries that depend on the DLL msys-2.0.dll for their operation.
“After conducting extensive tests, our method has proven to be a highly successful solution for injecting and executing code in a remote process that uses the DLL msys-2.0.dll. In this case, we were able to inject our own code into the memory space of the ssh.exe process without being detected by the EDR,” the Israeli security firm wrote.
“The uniqueness of this technique lies in the fact that there is no need to allocate memory, set permissions or create a new thread within the target process to initiate the execution of our injected code. This differentiation sets this strategy apart from other existing techniques and makes it challenging for Endpoint Detection and Response (EDR) systems to detect this method.”