New Mockingjay Process Injection Technique Evades EDR Detection

Cyber Security Threat Summary:
“A new process injection technique called "Mockingjay" has been discovered by researchers at cybersecurity firm Security Joes. This technique allows threat actors to bypass EDR (Endpoint Detection and Response) systems and execute malicious code on compromised systems without detection. Unlike traditional process injection methods, Mockingjay does not rely on commonly abused Windows API calls, special permissions, or memory allocation, making it more difficult to detect.

The researchers identified a vulnerable DLL, msys-2.0.dll, with a default RWX (read, write, execute) section in Visual Studio 2022 Community. By leveraging this existing section, they were able to load malicious code without triggering security software alarms. The Mockingjay technique includes two injection methods: self-injection and remote process injection.

In the self-injection method, a custom application called "nightmare.exe" loads the vulnerable DLL into its memory space using Windows API calls, gaining direct access to the RWX section without additional steps. The researchers used the "Hell's Gate EDR unhooking" technique, utilizing syscall numbers extracted from the clean system module NTDLL.DLL, to bypass EDR hooks and execute the injected shellcode without detection.

The remote process injection method involves exploiting the TWX section of msys-2.0.dll to inject a payload into a remote process, specifically the "ssh.exe" process. The custom application launches ssh.exe as a child process, opens a handle to the target process, and injects the malicious code into the RWX memory space of the vulnerable DLL. The injected shellcode establishes a reverse shell, allowing the attacker to gain control over the compromised system” (BleepingComputer, 2023).

Security Officer Comments:
Tests have shown that both injection methods of Mockingjay successfully evade EDR solutions, as they do not require creating new threads, allocating memory, or setting permissions within the target process. Mockingjay utilizes Windows APIs such as 'LoadLibraryW,' 'CreateProcessW,' and 'GetModuleInformation' to load the misconfigured DLL and locate the RWX section, which are less likely to raise suspicion compared to APIs commonly monitored by EDRs in traditional process injection attacks.

Suggested Correction(s):
The discovery of Mockingjay highlights the importance of adopting a holistic security approach that goes beyond relying solely on EDR solutions. Organizations need to stay vigilant and adapt their security strategies to defend against emerging techniques used by threat actors.

Link(s):
https://www.bleepingcomputer.com/ne...ess-injection-technique-evades-edr-detection/