New Mockingjay Process Injection Technique Could Let Malware Evade Detection

A new process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems.

Mockingjay is a new process injection technique that could be used by malicious actors to bypass security solutions and execute malicious code on compromised systems. It is unique in that it does not require space allocation, setting permissions, or even starting a thread. Instead, it uses pre-existing Windows portable executable files that contain a default memory block protected with Read-Write-Execute (RWX) permissions. This is accomplished using msys-2.0.dll, which has a generous 16 KB of available RWX space.

The technique is divided into two approaches: self injection and remote process injection. Self injection involves loading the vulnerable DLL into its address space and executing the desired code using the RWX section. Remote process injection entails using the RWX section in the vulnerable DLL to perform process injection in a remote process such as ssh.exe.

The advantage of Mockingjay is that it does not require the execution of Windows APIs usually monitored by security solutions. This makes it difficult for Endpoint Detection and Response (EDR) systems to detect this method. It is worth noting that there could be other such susceptible DLLs with similar characteristics.

The findings come weeks after cybersecurity firm SpecterOps detailed a new method that exploits a legitimate Visual Studio deployment technology called ClickOnce to achieve arbitrary code execution and obtain initial access. Mockingjay is yet another example of how malicious actors are constantly finding new ways to bypass security solutions and execute malicious code on compromised systems.

📓 New Mockingjay Process Injection Technique Could Let Malware Evade Detection

👉🏽 A new process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems. 👉🏽 Mockingjay is a new process injection technique used by malicious actors to bypass security solutions. 👉🏽 It executes malicious code on compromised systems without requiring space allocation or thread starting. 👉🏽 Mockingjay utilizes pre-existing Windows portable executable files with Read-Write-Execute permissions. 👉🏽 The technique is divided into self injection and remote process injection approaches. 👉🏽 Self injection loads a vulnerable DLL into its address space and executes desired code. 👉🏽 Remote process injection uses the RWX section in a vulnerable DLL to inject code in a remote process. 👉🏽 Mockingjay avoids executing Windows APIs monitored by security solutions. 👉🏽 Endpoint Detection and Response (EDR) systems find it difficult to detect this method. 👉🏽 There may be other DLLs with similar characteristics and vulnerabilities. 👉🏽 Mockingjay is another example of actors bypassing security to execute malicious code on systems.

🔗 source link: https://thehackernews.com/2023/06/new-mockingjay-process-injection.html

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/new-mockingjay-process-injection-technique-could-let-malware-evade-detection

#Mockingjay #processinjection #securitybypass #maliciouscode #newtechnique