Mockingjay – A New Injection Technique to Bypass Endpoint Detection and Response (EDR)

The cybersecurity researchers at Security Joes recently discovered a new injection technique that is dubbed “Mockingjay.” 

The threat actors could actively exploit this newly discovered injection technique to run and execute malicious code on compromised systems by evading the EDR (Endpoint Detection and Response) and other security solutions.

Utilizing DLLs with RWX sections, this technique easily bypasses the EDR hooks and injects code into remote operations.

By injecting code into trusted running processes, the process injection enables threat actors to execute undetected malicious code.

Attackers employ Windows APIs, system calls, process/thread creation, and process memory writing in these techniques.

Security tools can detect and intervene in suspicious incidents by monitoring specific actions mentioned above.

The following things differentiate the Mockingjay from others that enable it to evade several detection possibilities:-

Commonly abused Windows API calls are not used

• Set special permissions
• Perform memory allocation
• Start a thread

Process Injection Methods

Here below, we have mentioned all the process injection methods:-

• Self-Injection: This technique is commonly found in malware packers and does not impact any external process; rather, the process executing the injection is the same process that receives the injected payload.
• Classic DLL Injection: This technique injects a malicious DLL into the memory space of another process. In this case, the malicious sample must first identify the specific process it intends to target, allocate a portion of memory within it and create a thread to start the execution of the malicious DLL from disk.
• PE Injection: This technique maps an entire Portable Executable (PE) file into the memory space of a running process. It allocates a new memory section within the target process, which will serve as the destination for the payload. The contents of the payload are then dynamically mapped onto this memory section using its relocation descriptors and the absolute address of the section, imitating the functionality of the Windows Loader.
• Process Hollowing / Run PE: In this technique, the original code and resources of the target process are replaced or removed, leaving behind only the bare process framework. The hollowed process then becomes a host for the injected malicious code, allowing it to execute under the guise of a legitimate process.
• Thread Execution Hijacking: This technique is used to gain control of the execution flow within a process by redirecting the execution of a target thread to arbitrary code. It allows an attacker to manipulate the behavior of a running process without creating a new process or modifying the underlying code.
• Mapping Injection: By utilizing the NtMapViewOfSection, the malicious code is mapped into the target process from an existing section, controlled by the attacker. This approach eliminates the requirement to explicitly allocate RWX sections and avoids the need for separate payload content copying. The malicious code indirectly becomes part of the target process’s memory space, allowing it to execute within the context of a genuine module.
• APC Injection and Atombombing: This technique manipulates the Asynchronous Procedure Call  (APC) mechanism in the Windows operating system to inject and execute malicious code in a target process. 
• Process Doppelganging: This technique is used in malware development to disguise malicious processes by creating a process with a legitimate appearance. It involves utilizing transactional NTFS (TxF) and Windows process loading mechanisms to create a new process that looks like an existing, legitimate process but runs malicious code instead. 

Mockingjay Bypass EDR

Researchers aimed to locate a vulnerable DLL with a default RWX section, enabling effortless modification of its contents for loading harmful code.

This bypasses the need for extra steps like obtaining more permissions, which may alert security software.

Security Joe’s analysts, on their DLL search, stumbled upon Visual Studio 2022 Community’s msys-2.0.dll, sporting a 16 KB default RWX section.

Following that, the team devised two injection techniques, and here they are mentioned below:-

• Self-injection
• Remote process injection

For the initial scenario, “nightmare.exe,” a custom application that directly loads the vulnerable DLL using two Windows API calls into its memory.

This bypasses the memory allocation or permission settings and provides direct entry to the RWX section.

While at this point, EDR gets informed about the creation of a new process and promptly adds its own dynamic library to it after the application is launched.

After execution, the EDR alters byte code to modify targeted functions within the in-memory NTDLL.DLL copy.

Following that, the “Hell’s Gate EDR unhooking” technique exploits NTDLL.DLL, a new system module, to extract syscall numbers.

These numbers bypass EDR hooks, enabling undetected execution of the injected shellcode.

Exploiting msys-2.0.dll’s TWX section, the second approach injects a payload into the “ssh.exe” process remotely.

In this scenario, the injected shellcode loads the DLL file “MyLibrary.dll” to initiate a reverse shell connection with the attacker’s machine.

PoC Video

Here below, we have mentioned the PoC video:-

Here below, we have mentioned all the APIs that are commonly monitored by EDR solutions and gathered in process injection attacks:-

• WriteProcessMemory
• NtWriteVirtualMemory
• CreateRemoteThread
• NtCreateThreadEx

That’s why the Mockingjay minimizes the likelihood of triggering alerts. Rather than relying solely on EDR solutions, Security Joes’  ‘Mockingjay’ development highlights the need for robust and sophisticated security approaches.

“AI-based email security measures Protect your business From Email Threats!” – .