A new way to inject code into legitimate processes, dubbed "Mockingjay" by researchers, could allow attackers to bypass popular EDR solutions and other defenses, allowing malicious code to be executed on infected systems in secret.
Security Joes has discovered a method that uses legitimate .dll files with RWX sections to avoid EDR hooks and remote code injection into legitimate processes.
Process injection is a method of executing arbitrary code in the address space of another running process that is trusted by the operating system. Thus, attackers can run malicious code with an extremely low chance of being detected.
Examples of techniques for injecting code into a process include, for example, DLL injection, PE injection, thread execution capture, process emptying, and the like. In all of these techniques, attackers use the Windows API and various system calls to it to create a thread in the target process, write process memory, and so on.
Cybersecurity tools that monitor certain actions from the above list may well detect such attacks and block them promptly. However, Security Joes researchers argue that Mockingjay differs from other common approaches in that it does not use frequently abused Windows API calls, does not set special permissions, does not allocate memory, and does not even start a thread inside the target process. Thus, a number of opportunities for threat detection by specialized software are eliminated.
When developing this method, the goal of the researchers was to find a vulnerable DLL file with a default RWX section so that they could modify its contents to load malicious code without taking additional steps, such as obtaining additional permissions, which could raise suspicions of security programs.
Looking for a suitable DLL file, Security Joes analysts found the DLL "msys-2.0.dll" in Visual Studio 2022 Community Edition, which had a default RWX section of 16 KB.
“By using this existing RWX section, we can take advantage of the memory protection it offers by effectively bypassing the EDR algorithms. This approach not only circumvents the limitations imposed by custom hooks but also creates a reliable and stable environment for our implementation technique,” the report says.
All the technical details of how the Mockingjay method works can be found in the Security Joes technical report .
The development of Mockingjay is another clear example of why organizations should take a holistic approach to security rather than relying solely on existing EDR solutions. The more obstacles in the way of hackers, the less likely they will be able to successfully implement their malicious plans.