June 28 – According to cyber security experts, a new process technique dubbed “Mockingjay” could be exploited by threat actors to bypass security solutions. In so doing, hackers could execute malicious code on corporate systems.
The injection is executed without space allocation, setting permissions or starting a thread, said researchers. This technique requires a vulnerable DLL and copying code to the correct section.
Process injection attacks
The process injection attack method allows adversaries to inject code into processes as to evade process-based defenses and to elevate privileges. Hackers could arbitrarily execute code in the memory space of a separate live process.
Well-known process injection techniques include dynamic link libraries (DLL) injection, portable executable injection, thread execution hijacking, process hollowing and process doppelgänging, among others.
Each of the above methods requires a combination of specific system calls and Windows APIs in order to carry out the injection.
Mockingjay has been noticed due to the fact that it subverts security layers by eliminating the need to execute Windows APIs usually monitored by security solutions. It does this by leveraging pre-existing Windows portable executable files. These contain a default memory block. The block is protected with Read-Write-Execute (RXW) permissions.
The aforementioned is accomplished using msys-2.0.dll, which comes with a “generous 16 KB of available RWX space.” This makes it ideal for loading malicious code and having it fly under the radar. However, researchers say that there could be other such susceptible DLLs…