Mockingjay process injection technique allows EDR bypass

Mockingjay is a new process injection technique that can be exploited to bypass security solutions to execute malware on compromised systems.

A new process injection technique dubbed Mockingjay can be exploited by attackers to bypass security controls and gain unauthorized access to compromised systems.

The term process injection is used to refer to a method used to inject malicious code into the memory space of a process.

To detect project injection, EDR (Endpoint Detection and Response) software often sets hooks on Windows APIs within the memory space of every launched process. The security solutions use hooks to intercept and capture the parameters passed to the Windows APIs.

Security Joes researchers Thiago Peixoto, Felipe Duarte, and Ido Naor demonstrated that misusing trusted Windows libraries that already contain sections with default protections set as RWX (Read-Write-Execute) it is possible to inject code into various processes without executing several Windows APIs.

“This approach reduces the likelihood of detection by defense software, as our application does not directly invoke Windows APIs typically associated with process injection techniques.” reads the analysis published by Security Joes. “We call this technique “Mockingjay” as it is rather smoother than other techniques and requires smaller number of steps to achieve. The injection is executed without space allocation, setting permissions or even starting a thread. The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section. As the copy echoes back in the read/write/execute, we considered the name Mockingjay suitable.”

The researchers conducted the study in two distinct stages:

• To identify a vulnerable DLL that possessed a default Read-Write-Execute (RWX) memory section.
• To implement the process injection technique abusing the RWX memory section already present in the DLL previously found.

The researchers discovered that the DLL msys-2.0.dll possesses a default RWX section that could potentially be exploited by an attacker to load malicious code.

“With a generous 16 KB of available RWX space, this DLL presents an ideal location for injecting and executing our code. By leveraging this pre-existing RWX section, we can take advantage of the inherent memory protections it offers, effectively bypassing any functions that may have already been hooked by EDRs.” continues the report. “This approach not only circumvents the limitations imposed by userland hooks but also establishes a robust and reliable environment for our injection technique.”

Once identified the vulnerable DLL the researchers analyzed self-injection and remote process injection techniques to bypass security measures.

In the first technique, attackers directly load the vulnerable DLL into the memory space of their custom application. The attackers gain direct access to the default RWX section and execute arbitrary code without additional memory allocation or permission setting.

In the second technique, the attackers leverage the RWX section in the vulnerable DLL to perform process injection in a remote process. The remote process injection uses the RWX section in the vulnerable DLL to perform process injection in a remote process such as ssh.exe.

“For our proof of concept, we specifically chose the ssh.exe process located in the Visual Studio directory to inject our payload. It is important to note that in this injection method, there is no need to explicitly create a thread within the target process, as the process automatically executes the injected code. This inherent behavior makes it challenging for Endpoint Detection and Response (EDR) systems to detect this method.” continues the report.

Below is the process used by the researchers to bypass EDR detection:

1. Custom application is executed.
2. Trusted application (ssh.exe) using DLL msys-2.0.dll is launched as a child process.
3. Custom application opens a handle to the target process (ssh.exe).
4. Code to be injected is copied into the RWX section of msys-2.0.dll.
5. Trusted application executes the injected code during its normal execution flow.
6. Additional DLL MyLibrary.dll is loaded by the shellcode injected in the RWX section.
7. Back connect shell session is stablished.

The researchers released the following video PoC for their Mockingjay:

“This research has provided valuable insights into the utilization of legitimate DLLs with Read-Write-Execute (RWX) sections as an effective method for evading userland hooks and injecting code into remote processes. By leveraging trusted libraries with these attributes, threat actors can bypass the need to allocate RWX memory, set permissions, or even create new threads in the target process.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mockingjay)