A new process injection technique dubbed Mockingjay can be leveraged by threat actors to bypass security solutions to execute malicious code on compromised systems.
“Injections run without allocating space, setting permissions, or even starting threads,” researchers Security Joes, Thiago Peixoto, Felipe Duarte, and
I know said in a report shared with The Hacker News. “The uniqueness of this technique is that it requires a vulnerable DLL and copies the code to the proper section.”
Process injection is attack method which allows adversaries to inject code into processes to circumvent process-based defenses and elevate privileges. Thus, it allows arbitrary code execution in the memory space of a separate live process.
Some well-known process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process emptying, and process doppelgänging.
It should be noted that each of these methods requires a combination of specific system calls and Windows APIs to perform the injection, allowing defenders to create appropriate detection and mitigation procedures.
What makes Mockingjay stand out is that it subverts this layer of security by removing the need to execute the Windows APIs that security solutions usually monitor by leveraging the pre-existing Windows portable executables that come with it. memory block protected with Read-Write-Execute (RWX) permission.
This, in turn, is accomplished using msys-2.0.dll, which comes with “16 KB of available RWX space”, making it an ideal candidate to load malicious code and fly under the radar. However, it should be noted that there may be other vulnerable DLLs with similar characteristics.
The Israeli company said it is exploring two different methods – self-injection and remote process injection – to achieve code injection in a way that not only improves attack efficiency, but also avoids detection.
In the first approach, a dedicated application is used to directly load the vulnerable DLL into its address space and finally executes the desired code using the RWX section. In contrast, remote process injection requires using the RWX section of a vulnerable DLL to perform process injection in a remote process such as ssh.exe.
“The uniqueness of this technique lies in the fact that there is no need to allocate memory, set permissions, or create a new thread in the target process to start executing the code we entered,” the researchers say.
“This differentiation sets this strategy apart from other existing techniques and makes it difficult for Endpoint Detection and Response (EDR) systems to detect this method.”
The findings come a few weeks after cybersecurity firm SpecterOps detailed a new method that exploits a legitimate Visual Studio deployment technology is called Click Once to achieve arbitrary code execution and get early access.