The Mockingjay Process Injection Technique Unveiled as an Elusive Method for Malware to Evade Detection
A cutting-edge process injection technique called Mockingjay has emerged, presenting a potential avenue for threat actors to elude security measures and execute a corrupted code on compromised systems. Security researchers have identified this technique, which circumvents the need for space allocation, permission settings, or thread initialization during the injection. According to their report shared with The Hacker News, the distinctiveness of Mockingjay lies in its reliance on a vulnerable DLL and the precise placement of code within the appropriate section.
Table of Contents
What is a Process Injection?
Process injection is a technical malware, that evil-minded actors use to insert and execute code within the memory space of a legitimate process running on a computer. The injected code typically grants unauthorized access or performs harmful actions within the targeted process, often aiming to bypass security measures and remain undetected. Process injection techniques exploit vulnerabilities or weaknesses in the operating system or applications to gain control over a process and manipulate its behavior. Standard process injection methods include DLL, code, and process hollowing.
Process injection techniques are diverse and encompass various methods that malware or ill-oriented actors employ to inject code into legitimate processes. Some prominent process injection techniques include DLL injection, where a compromised DLL is loaded into a target process; portable executable injection, which involves injecting code from a separate executable file; thread execution hijacking, where the execution flow of a legitimate thread is redirected to a bad code; process hollowing, where a legitimate process is created and then replaced with bad code; and process doppelgänging, which involves manipulating the file system and process attributes to create an unsafe process.
Each technique relies on specific system calls and Windows APIs to perform the injection, enabling defenders to develop effective detection and mitigation strategies. By understanding the underlying mechanisms of these injection methods, security professionals can devise appropriate countermeasures and safeguard systems against such attacks.
The Unique Traits of Mockingjay
Mockingjay sets itself apart by circumventing traditional security measures by cleverly utilizing existing Windows portable executable files with a memory block protected with Read-Write-Execute (RWX) permissions. This innovative approach eliminates the need to trigger monitored Windows APIs typically monitored by security solutions. By leveraging msys-2.0.dll, which offers a substantial 16 KB of available RWX space, Mockingjay effectively conceals unsafe code and operates covertly. Acknowledging the potential existence of other vulnerable DLLs with similar attributes is essential.
Mockingjay employs two distinct methods; self-injection, and remote process injection, to facilitate code injection, resulting in enhanced attack effectiveness and evasion of detection. The self-injection technique involves directly loading the vulnerable DLL into the address space of a custom application, enabling the execution of desired code via the RWX section. On the other hand, the remote process injection utilizes the RWX section within the vulnerable DLL to perform process injection in a remote process like ssh.exe. These strategies enable Mockingjay to manipulate code execution stealthily, enabling threat actors to evade detection measures.
A Challenge for Endpoint Detection and Response (EDR) Systems
Unlike traditional approaches, this innovative strategy eliminates the need for memory allocation, permission setting, or thread creation within the target process to initiate the execution of injected code. The researchers highlighted that this unique feature poses a significant challenge for Endpoint Detection and Response (EDR) systems, as it deviates from the typical patterns they should detect. These findings emerge after another recent revelation of a method leveraging the legitimate Visual Studio deployment technology called ClickOnce. This method enables threat actors to achieve arbitrary code execution and gain initial access, emphasizing the evolving landscape of sophisticated attack techniques.