Mockingjay Bypass EDR
admin 7 months ago
admin #news

Mockingjay: Bypass EDR Obstacles And Executes Malicious Code

A new way to inject code into legitimate processes, dubbed "Mockingjay" by researchers, could allow attackers to bypass popular EDR solutions and other defenses, allowing malicious code to be executed on infected systems in secret.

Security Joes has discovered a method that uses legitimate .dll files with RWX sections to avoid EDR hooks and remote code injection into legitimate processes.


Process injection is a method of executing arbitrary code in the address space of another running process that is trusted by the operating system. Thus, attackers can run malicious code with an extremely low chance of being detected.


Examples of techniques for injecting code into a process include, for example, DLL injection, PE injection, thread execution capture, process emptying, and the like. In all of these techniques, attackers use the Windows API and various system calls to it to create a thread in the target process, write process memory, and so on.


Cybersecurity tools that monitor certain actions from the above list may well detect such attacks and block them promptly. However, Security Joes researchers argue that Mockingjay differs from other common approaches in that it does not use frequently abused Windows API calls, does not set special permissions, does not allocate memory, and does not even start a thread inside the target process. Thus, a number of opportunities for threat detection by specialized software are eliminated.


When developing this method, the goal of the researchers was to find a vulnerable DLL file with a default RWX section so that they could modify its contents to load malicious code without taking additional steps, such as obtaining additional permissions, which could raise suspicions of security programs.


Looking for a suitable DLL file, Security Joes analysts found the DLL "msys-2.0.dll" in Visual Studio 2022 Community Edition, which had a default RWX section of 16 KB.


“By using this existing RWX section, we can take advantage of the memory protection it offers by effectively bypassing the EDR algorithms. This approach not only circumvents the limitations imposed by custom hooks but also creates a reliable and stable environment for our implementation technique,” ​​the report says.


All the technical details of how the Mockingjay method works can be found in the Security Joes technical report .


The development of Mockingjay is another clear example of why organizations should take a holistic approach to security rather than relying solely on existing EDR solutions. The more obstacles in the way of hackers, the less likely they will be able to successfully implement their malicious plans.

0
340
Brata Android Rat Free Download

Brata Android Rat Free Download

1673775682.png
admin
1 year ago
Anatsa Banking Malware Spreads On Google Play Store

Anatsa Banking Malware Spreads On Google Play Store

1673775682.png
admin
7 months ago
Cobalt Strike: A Deep Dive into the Powerful APT Framework

Cobalt Strike: A Deep Dive into the Powerful APT Framework

1673775682.png
admin
1 year ago
Malware and Advanced Persistent Threats (APTs)

Malware and Advanced Persistent Threats (APTs)

1673775682.png
admin
10 months ago
Whats Is Malware - Malware Types & History

Whats Is Malware - Malware Types & History

1673775682.png
admin
3 months ago