Mockingjay Attack Evades EDR Tools with Code Injection Technique

We Keep you Connected

Mockingjay Attack Evades EDR Tools with Code Injection Technique

Security researchers have identified a new sophisticated hacking technique, dubbed “Mockingjay,” that can bypass enterprise detection and response (EDR) tools by injecting malicious code into trusted memory space. This stealthy approach allows attackers to operate undetected within an organization’s network for extended periods.
The attack technique — identified by researchers at Security Joes — is a challenge to EDR vendors and security teams alike.
“To effectively counteract such attacks, security solutions need to employ a comprehensive and proactive approach that goes beyond static monitoring of specific DLLs or system calls,” the researchers wrote. “Behavioral analysis, anomaly detection, and machine learning techniques can enhance the ability to identify process injection techniques and detect malicious activities within the memory space of trusted processes.”
See the Top EDR Solutions
The Mockingjay attack targets trusted and legitimate processes running on the system and avoids or minimizes use of Windows APIs that EDR tools commonly associate with injection attacks. By secretly injecting malicious code into the memory space of the trusted process, Mockingjay hides its activities within a seemingly harmless process.
EDR tools typically monitor Windows APIs within the memory space of processes to detect injection attacks, so the researchers set about trying to find other methods to dynamically execute code within the memory space of Windows processes without relying on the monitored Windows APIs.
They detailed two such attack techniques in their blog post.
They explored trusted Windows libraries that contain sections with default protections set as RWX (Read-Write-Execute). “By misusing these libraries, we were able to successfully inject code into various processes and eliminate the need to execute several Windows APIs usually monitored by security solutions,” they wrote. “This approach reduces the likelihood of detection by defense software, as our application does not directly invoke Windows APIs typically associated with process injection techniques. The injection is executed without space allocation, setting permissions or even starting a thread. The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section.”
Both attack techniques involve processes located within Visual Studio 2022 Community. The first is the DLL msys-2.0.dll, and the second attack technique targets the ssh.exe process located within the Visual Studio 2022 Community directory.
The msys-2.0 DLL contains a default RWX section that could potentially be exploited to load malicious code, the Security Joes researchers said. The report goes into great detail on the attack technique, which they summarized in six steps:
In the process of their work, the researchers noticed that the msys-2.0.dll library is “commonly utilized by applications that require POSIX emulation, such as GNU utilities or applications not originally designed for the Windows environment. We found relevant binaries with these characteristics within the Visual Studio 2022 Community subdirectory.”
For their proof of concept, they chose the ssh.exe process located within the Visual Studio 2022 Community directory as the payload target. “To accomplish this, we initiated the ssh.exe process as a child process of our custom application using the Windows API CreateProcessW,” they wrote, summarizing the attack technique as follows:
“The uniqueness of this technique lies in the fact that there is no need to allocate memory, set permissions or create a new thread within the target process to initiate the execution of our injected code,” they wrote. “This differentiation sets this strategy apart from other existing techniques and makes it challenging for endpoint detection and response (EDR) systems to detect this method.”
EDR systems with integrated behavioral analytics can stop a Mockingjay attack by broadening the scope of their monitoring to cover trusted processes. Such detection techniques can identify code injection and unauthorized changes by establishing baseline behavior patterns and conducting memory integrity checks. EDR technologies can improve their capacity to recognize and block Mockingjay attacks through contextual analysis and the application of machine learning methods that can detect anomalous patterns.
For security teams, Mockingjay is yet another argument for defense-in-depth; if one security tool misses an attack, a second one could potentially limit the damage.
Read next: Network Protection: How to Secure a Network
Latest articles
Top Cybersecurity Companies
See full list
Related articles
eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.
Advertise with TechnologyAdvice on eSecurity Planet and our other IT-focused platforms.
Property of TechnologyAdvice.
© 2023 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.