Threat actors may be able to take advantage of a brand-new process injection technique called Mockingjay to get around security measures and run malicious code on compromised systems.
According to a report that was provided to The Hacker News by Security Joes researchers Thiago Peixoto, Felipe Duarte, and Ido Naor, “The injection is executed without space allocation, setting permissions, or even starting a thread.” The uniqueness of this procedure is that it requires a weak DLL and duplicating code to the right segment.”
An attack technique known as “process injection” enables adversaries to inject code into processes in order to circumvent “process-based defenses” and gain privileges. By doing so, it could make it possible to run any kind of code in the memory of a different live process.
Dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging are among the well-known methods of process injection.
It is important to point out that in order to carry out the injection, each of these methods necessitates a combination of specific system calls and Windows APIs. This makes it possible for security professionals to design the right detection and mitigation strategies.
What sets Mockingjay stands separated is that it undermines these security layers by killing the need to execute Windows APIs normally checked by security arrangements by utilizing previous Windows compact executable documents that contain a default memory block safeguarded with Read-Compose Execute (RWX) consents.
This, thusly, is achieved utilizing msys-2.0.dll, which accompanies a “liberal 16 KB of accessible RWX space,” making it an optimal possibility to stack noxious code and go unnoticed. Notwithstanding, it’s significant that there could be other such helpless DLLs with comparable qualities.
In order to achieve code injection in a manner that not only increases the efficiency of the attack but also avoids detection, the Israeli company stated that it investigated two distinct approaches: self injection and remote process injection.
A custom application is used in the first method to directly load the vulnerable DLL into its address space and then use the RWX section to execute the desired code. Remote cycle infusion, then again, involves involving the RWX segment in the weak DLL to perform process infusion in a remote interaction, for example, ssh.exe.
“The uniqueness of this strategy lies in the way that there is compelling reason need to distribute memory, set consents or make another string inside the objective cycle to start the execution of our infused code,” the specialists said.
“This differentiation makes it difficult for Endpoint Detection and Response (EDR) systems to detect this method and sets this strategy apart from other existing techniques.”
The findings come weeks after cybersecurity firm SpecterOps detailed a new method that exploits a legitimate Visual Studio deployment technology called ClickOnce to achieve arbitrary code execution and obtain initial access.