June 27th 2023

A groundbreaking process injection technique called Mockingjay has emerged, enabling threat actors to evade detection by security solutions and execute malicious code on compromised systems actively.

Security Joes researchers Thiago Peixoto, Felipe Duarte, and Ido Naor shared in a report that Mockingjay accomplishes Injection without the need for space allocation, permission settings, or thread initiation. Instead, it relies on a vulnerable DLL and code replication to the appropriate section.

Boundless Horizons: The Impact of Ope…
Introducing Hisense S59 Series Smart …
LEI Register in the UK: Your Passport…
Poor Righteous Teachers - Holy Intell…
Is the TP-Link Tapo C100 Security Cam…

Process injection, an attack method used to bypass process-based defenses and gain elevated privileges, allows adversaries to inject code into processes. This method permits the execution of arbitrary code within the memory space of a separate live process.

Notable process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelganging, among others.

It is important to note that each of these methods requires a combination of specific system calls and Windows APIs. These requirements enable defenders to develop effective detection and mitigation procedures.

New Mockingjay Process Injection Technique

What sets Mockingjay apart is its ability to subvert these security layers by eliminating the need to execute Windows APIs, which are typically monitored by security solutions. Instead, it leverages existing Windows portable executable files that already possess a memory block protected with Read-Write-Execute (RWX) permissions.

For this purpose, the technique utilizes msys-2.0.dll, which offers an ample 16 KB of available RWX space. This DLL serves as an ideal candidate for loading malicious code and evading detection. However, it’s worth mentioning that other susceptible DLLs with similar characteristics may also exist.

The Israeli company behind Mockingjay explored two different methods, namely self-injection and remote process injection, to achieve code injection while enhancing attack efficiency and evading detection.

In the self-injection approach, a custom application directly loads the vulnerable DLL into its address space and subsequently executes the desired code using the RWX section. On the other hand, remote process injection involves leveraging the RWX section in the vulnerable DLL to inject code into a remote process, such as ssh.exe.

The uniqueness of this technique lies in the fact that there is no need to allocate memory, set permissions, or create a new thread within the target process to initiate the execution of our injected code. This distinction sets this strategy apart from existing techniques, making it challenging for Endpoint Detection and Response (EDR) systems to detect this method effectively.researchers

These findings arrive shortly after cybersecurity firm SpecterOps unveiled a new method that exploits ClickOnce, a legitimate Visual Studio deployment technology. This technique enables adversaries to achieve arbitrary code execution and gain initial access.

The post New Mockingjay Process Injection Technique: Evading Detection Made Possible appeared first on How To Fix Guide.

This post first appeared on Useful Tips For Finding Viruses On Your Computer. Hope Is Not Lost! Follow Our Guides To Fix Your PC And Get Rid Of A Computer Virus., please read the originial post: here