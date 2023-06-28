A new process injection technique called Mockingjay it could be exploited by bad actors (cybercriminals) to evade security solutions and execute malicious code on compromised operating systems.

Mockingjay, what do we know

“The injection is done without allocating space, setting permissions, or even starting a thread“, they have declared Security Joes researchers Thiago Peixoto, Felipe Duarte and Ido Naor in a shared report. “The uniqueness of this technique is that it requires a vulnerable DLL and copying the code into the correct section“.

L’injection of process is a method of attack which allows adversaries to inject code into processes in order to evade process-based defenses and gain elevated privileges. In doing so, it could allow malicious code to be executed in the memory space of a separate running process.

Some of the well-known process injection techniques include dynamic link library (DLL) injection, portable executable file injection, thread execution hijacking, process hollowing and the process doppelgangingamong others.

It is important to highlight that each of these methods requires a combination of specific system calls and Windows APIs to perform the injection, thus enabling security operators to devise adequate detection and mitigation procedures.

What sets Mockingjay apart is that it subverts these layers of security by eliminating the need to run Windows APIs usually monitored by security solutions, by leveraging pre-existing Windows portable executables that already have a memory block protected with permissions by read-write-execute (RW extension).

This mockingjay is done through using the file msys-2.0.dll, which has a “generous 16 KB RWX space available,” making it an ideal candidate for loading malicious code and escaping detection. However, it is worth noting that there may be other vulnerable DLLs with similar characteristics.

The Israeli company said it has explored two different methods, self injection and remote process injection, to achieve code injection so as to not only improve the efficiency of the attack, but also evade the detection.

In the first approach, a custom application is used to directly load the vulnerable DLL into its address space and finally execute the desired code using the RWX section. Remote process injection, on the other hand, involves using the RWX section in the vulnerable DLL to perform process injection into a remote process such as ssh.exe.

“The peculiarity of this technique [cioè Mockingjay] lies in the fact that there is no need to allocate memory, set permissions or create a new thread inside the target process to start the execution of our injected code“, stated the researchers.

“This differentiation distinguishes this strategy from other existing techniques and makes it difficult for systems to detect Endpoint Detection and Response (EDR)“.

These findings come weeks after cybersecurity firm SpecterOps has described a new method that takes advantage of a legitimate Visual Studio deployment technology called ClickOnce to get malicious code execution and gain initial access.

Conclusion

As always, it is good to be careful when browsing and your online habits, in this case, it is implied that the Mockingjay technique attacks the average Windows user, who is usually not very expert in computer security.

Usual speech: do you download strange stuff everywhere? The more likely you are to run into similar problems and the operating system should be regularly updated, unless otherwise reported by the manufacturer.

That’s all.