A new process injection technique called Mockingjay can be exploited by threat actors to bypass security solutions and execute malicious code on compromised systems.
“The injection is performed without allocating space, setting permissions, or even starting a thread,” said Security Joes researchers Thiago Peixoto, Felipe Duarte, and
Id Naor said in a report shared with HackerNews. “What’s unique about this technique is that the vulnerable DLL and code must be copied into the appropriate section.”
Process injection is an attack technique that allows attackers to bypass process-based defenses and inject code into processes to elevate privileges. Doing so could result in arbitrary code execution in the memory space of another live process.
Well-known process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process haloing, process doppelgänging, and others.
It’s worth pointing out that each of these methods requires a combination of specific system calls and Windows APIs to perform the injection, so defenders can create appropriate detection and mitigation procedures.
What makes Mockingjay stand out is that it leverages existing Windows portable executables that already come with read/write/execute (RWX) protected blocks of memory, typically monitored by security solutions. It’s about breaking these security layers by removing the need to run Windows APIs. ) authority.
https://www.youtube.com/watch?v=155OXwnnAyw
It runs using msys-2.0.dll with “16 KB of available RWX space”, making it an ideal candidate for loading malicious code and executing it silently. becomes. Note, however, that there may be other such susceptible DLLs with similar characteristics.
The Israeli company said it explored two different methods, self-injection and remote process injection, to achieve code injection in a way that not only improves attack efficiency but also evades detection.
The first approach relies on a custom application to load the vulnerable DLL directly into its address space and finally use the RWX section to execute the desired code. Remote process injection, on the other hand, uses his RWX section of the vulnerable DLL to perform process injections on remote processes such as ssh.exe.
The researchers wrote, “The uniqueness of this technique lies in the fact that it does not require allocating memory, setting permissions, or creating new threads within the target process to begin executing the injected code.” said.
“This differentiation sets this strategy apart from other existing techniques and makes it difficult for endpoint detection and response (EDR) systems to detect this technique.”
The findings come weeks after cybersecurity firm SpecterOps detailed a new technique to exploit a legitimate Visual Studio deployment technology called ClickOnce to execute arbitrary code and gain initial access. rice field.
