A newly discovered process injection technique known as Mockingjay has emerged as a potential threat, enabling threat actors to bypass security solutions and execute malicious code on compromised systems. Security Joes researchers Thiago Peixoto, Felipe Duarte, and Ido Naor have uncovered this unique injection method that can deceive security measures without the need for space allocation, permission settings, or thread initialization.
Process injection techniques have long been employed by adversaries to inject code into processes, evading detection and escalating privileges. Common methods include DLL injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging. However, Mockingjay sets itself apart by leveraging pre-existing Windows portable executable files, particularly msys-2.0.dll, to execute code in a separate live process. This technique bypasses security monitoring of Windows APIs and employs a generous amount of available RWX space within the DLL for loading and executing malicious code.
Security Joes explored two different methods to achieve code injection using Mockingjay: self-injection and remote process injection. In self-injection, a custom application loads the vulnerable DLL directly into its address space, executing the desired code using the RWX section. Remote process injection involves utilizing the RWX section in the vulnerable DLL to perform process injection in a remote process, such as ssh.exe. These approaches not only improve attack efficiency but also circumvent detection mechanisms.
The researchers emphasize that Mockingjay's distinctiveness lies in its ability to execute injected code without the need for memory allocation, permission adjustments, or thread creation within the target process. This sets it apart from other existing techniques and poses a challenge for Endpoint Detection and Response (EDR) systems to detect and mitigate attacks using this method.
These findings follow the recent disclosure by SpecterOps of an exploit that leverages Visual Studio's ClickOnce deployment technology to achieve arbitrary code execution and gain initial access. As the cybersecurity landscape evolves, it is crucial for organizations and security professionals to remain vigilant and stay informed about emerging techniques employed by threat actors.
Comments