Mockingjay: a new Process Injection technique evading EDR detection
A new process injection technique called Mockingjay has been discovered by researchers at cybersecurity firm Security Joes. The technique allows threat actors to execute malicious code on compromised systems without being detected by Endpoint Detection and Response (EDR) and other security products.
Process injection is a method used by attackers to execute arbitrary code in the address space of a trusted running process, thereby avoiding detection. There are several process injection techniques, such as DLL injection, PE injection and thread execution hijacking. However, these techniques often involve calling Windows APIs and system calls, which can be monitored by security tools.
What sets Mockingjay apart is its ability to bypass EDR hooks and inject code into remote processes without using commonly abused Windows API calls or performing memory allocations. The technique uses a vulnerable DLL with a default read, write, execute (RWX) section that ensures the injected code is executed within a trusted memory space.
The Security Joes researchers found a suitable DLL, msys-2.0.dll, in the Visual Studio 2022 community, which had a default RWX section. By using this existing section, they were able to bypass userland hooks and create a reliable environment for injection.
Two injection methods were developed: self-injection and remote process injection. In the self-injection method, a custom application loads the vulnerable DLL directly into memory, accessing the RWX section without any additional steps. The clean system module, NTDLL.DLL, is then used to extract syscall numbers and bypass EDR hooks, allowing the injected shellcode to run undetected.
The remote process injection method exploits the RWX section of msys-2.0.dll to inject a payload into a target process, such as “ssh.exe”. The custom application launches the target process as a child process, opens a handle to it and injects the malicious code into the RWX section.