Security researchers have identified a new sophisticated hacking technique, dubbed “Mockingjay,” that can bypass enterprise detection and response (EDR) tools by injecting malicious code into trusted memory space. This stealthy approach allows attackers to operate undetected within an organization’s network for extended periods.
The attack technique — identified by researchers at Security Joes — is a challenge to EDR vendors and security teams alike.
“To effectively counteract such attacks, security solutions need to employ a comprehensive and proactive approach that goes beyond static monitoring of specific DLLs or system calls,” the researchers wrote. “Behavioral analysis, anomaly detection, and machine learning techniques can enhance the ability to identify process injection techniques and detect malicious activities within the memory space of trusted processes.”
See the Top EDR Solutions
The Mockingjay Attack Explained
The Mockingjay attack targets trusted and legitimate processes running on the system and avoids or minimizes use of Windows APIs that EDR tools commonly associate with injection attacks. By secretly injecting malicious code into the memory space of the trusted process, Mockingjay hides its activities within a seemingly harmless process.
EDR tools typically monitor Windows APIs within the memory space of processes to detect injection attacks, so the researchers set about trying to find other methods to dynamically execute code within the memory space of Windows processes without relying on the monitored Windows APIs.
They detailed two such attack techniques in their blog post.
They explored trusted Windows libraries that contain sections with default protections set as RWX (Read-Write-Execute). “By misusing these libraries, we were able to successfully inject code into various processes and eliminate the need to execute several Windows APIs usually monitored by security solutions,” they wrote. “This approach reduces the likelihood of detection by defense software, as our application does not directly invoke Windows APIs typically associated with process injection techniques. The injection is executed without space allocation, setting permissions or even starting a thread. The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section.”
Both attack techniques involve processes located within Visual Studio 2022 Community. The first is the DLL msys-2.0.dll, and the second attack technique targets the ssh.exe process located within the Visual Studio 2022 Community directory.
The msys-2.0 DLL contains a default RWX section that could potentially be exploited to load malicious code, the Security Joes researchers said. The report goes into great detail on the attack technique, which they summarized in six steps:
- Custom application loads vulnerable DLL using LoadLibraryW
- Location of the RWX section is resolved using the base address of the DLL and the offset of section
- A clean copy of NTDLL.DLL is loaded from the disk, and the system call numbers for the desired syscalls are obtained
- The addresses of the test instructions after the jmp added by the EDR are retrieved from the NTDLL.DLL in-memory copy (hooked by the EDR)
- Using the addresses of the test instructions and the syscall numbers, the researchers assemble their stubs in the RWX area of the vulnerable DLL
- When the stub is executed, it prepares the syscall number in the EAX register, as usual, and immediately jumps to the address of the corresponding test instruction for the chosen system call, bypassing the EDR verification step
Second EDR Attack Detailed
In the process of their work, the researchers noticed that the msys-2.0.dll library is “commonly utilized by applications that require POSIX emulation, such as GNU utilities or applications not originally designed for the Windows environment. We found relevant binaries with these characteristics within the Visual Studio 2022 Community subdirectory.”
For their proof of concept, they chose the ssh.exe process located within the Visual Studio 2022 Community directory as the payload target. “To accomplish this, we initiated the ssh.exe process as a child process of our custom application using the Windows API CreateProcessW,” they wrote, summarizing the attack technique as follows:
- Custom application is executed
- Trusted application (ssh.exe) using DLL msys-2.0.dll is launched as a child process
- Custom application opens a handle to the target process (ssh.exe)
- Code to be injected is copied into the RWX section of msys-2.0.dll
- Trusted application executes the injected code during its normal execution flow
- Additional DLL MyLibrary.dll is loaded by the shellcode injected in the RWX section
- Back connect shell session is established
“The uniqueness of this technique lies in the fact that there is no need to allocate memory, set permissions or create a new thread within the target process to initiate the execution of our injected code,” they wrote. “This differentiation sets this strategy apart from other existing techniques and makes it challenging for endpoint detection and response (EDR) systems to detect this method.”
How to Defend Against a Mockingjay Attack
EDR systems with integrated behavioral analytics can stop a Mockingjay attack by broadening the scope of their monitoring to cover trusted processes. Such detection techniques can identify code injection and unauthorized changes by establishing baseline behavior patterns and conducting memory integrity checks. EDR technologies can improve their capacity to recognize and block Mockingjay attacks through contextual analysis and the application of machine learning methods that can detect anomalous patterns.
For security teams, Mockingjay is yet another argument for defense-in-depth; if one security tool misses an attack, a second one could potentially limit the damage.
Read next: Network Protection: How to Secure a Network
