Heimdal
article featured image

Contents:

Researchers found a new process injection technique dubbed Mockingjay that enables hackers to bypass EDR solutions. The method allows threat actors to execute malicious code on compromised systems.

The research revealed that by using legitimate DLLs with read, write, execute (RWX) sections, Mockingjay can evade Endpoint Detection and Response tools. Simply put, Mockingjay can stealthily inject malicious code into remote processes.

How Is the Mockingjay Process Injection Different?

Process injection is a technique that allows the execution of arbitrary code in the address space of legitimate processes. Thus, it enables threat actors to execute malware while evading endpoint security measures.

There is more than one known process injection method:

  • DLL injection,
  • Portable executable injection,
  • reflective DLL injection,
  • process hollowing,
  • mapping injection,
  • thread execution hijacking, etc.

When employing any of those, malicious actors use Windows APIs and various system calls. Consequently, an endpoint security service that monitors a company`s assets would be able to detect malicious activity. Next, it would respond and take the appropriate security measures to protect the system.

However, according to researchers Mockingjay found a way to circumvent and evade EDR tools. Instead of abusing Windows API calls, it exploits vulnerable DLLs with a default RWX section.

How Does Mockingjay Work?

Researchers used a misconfigured DLL, with an RWX section. They altered its contents to load malware. They didn`t attempt to gain additional permissions because that would have been a red flag for EDR software. The analysts chose DLL msys-2.0.dll inside Visual Studio 2022 Community for their experiment.

By leveraging this pre-existing RWX section, we can take advantage of the inherent memory protections it offers, effectively bypassing any functions that may have already been hooked by EDRs.

This approach not only circumvents the limitations imposed by userland hooks but also establishes a robust and reliable environment for our injection technique.

Source

As a result, the researchers created two injection methods:

  • For self-injection

In this case, a custom application (“nightmare.exe”) loads the misconfigured DLL directly into its memory space. It uses two Windows API calls and grants direct access to the RWX section while it skips allocating memory or setting permissions. After that, researchers exploited an NTDLL.DLL system module to extract syscall numbers. Those were further used to circumvent EDR hooks employing the “Hell’s Gate EDR unhooking” technique. In the end, researchers succeeded to execute the injected shellcode without being detected.

Step 1

Source

Step 2

Source

  • For remote process injection

This technique relies on exploiting the TWX section of msys-2.0.dll to inject a payload into the “ssh.exe” remote process.

The custom software launches ssh.exe as a child process. After that, it opens a handle to the target process and injects the malware onto the RWX memory space of the misconfigured DLL.

As a result, the injected shellcode loads the “MyLibrary.dll” DLL file, and establishes a reverse shell with the attacker’s machine.

Step 1

Source

Step 2

Source

Conclusions

Researchers proved that this remote injection attack can successfully evade EDR solutions.

While both methods use Windows APIs to load a vulnerable DLL and find the address of the DLL’s RWX section, none of them attempts allocating memory or setting permissions.

In the end, it appears that Mockingjay succeeds evading detection because EDRs only focus on APIs such as ‘WriteProcessMemory,’ ‘NtWriteVirtualMemory,’ ‘CreateRemoteThread,’ or ‘NtCreateThreadEx’.

As a result, researchers recommend companies to bolster their cybersecurity posture by integrating EDR tools in a comprehensive security strategy.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Heimdal Official Logo
Secure your business with advanced 24x7 Protection.
Amplify the power of your security operations with Heimdal’s 24x7 fully Managed Extended Detection & Response (MXDR) solution.
  • End-to-end consolidated cybersecurity;
  • Powered by the Heimdal XDR, Unified Security Platform
  • Comprehensive enterprise security without any additional integrations
  • 24x7 monitoring & prompt response delivered by our security experts
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE