Israeli Researchers Develop New Process Injection Method to Evade EDR Detection
Endpoint detection and response (EDR) systems have become more efficient at detecting process injection attempts that use monitored APIs. In light of this, researchers at Security Joes, an Israeli-based security company, have developed a novel method called Mockingjay that leverages dynamic link libraries (DLLs) to perform process injection operations without relying on monitored APIs. This approach reduces the likelihood of detection by endpoint security mechanisms and requires fewer steps to achieve the injection.
The Importance of Process Injection
Process injection is a technique used by attackers to manipulate the memory of a process, enabling them to add new functionality or modify its behavior. By injecting code into a running process, attackers can hide malicious activities and evade detection on compromised systems. There are several common process injection methods, including self-injection, DLL injection, and PE injection, each relying on specific Windows APIs that can be detected by EDR systems.
The Mockingjay Approach
Security Joes aimed to find alternative methods for executing code within the memory space of Windows processes without relying on monitored Windows APIs. Their unique approach involved identifying DLLs within the Windows OS that contained a default read, write, and execute (RWX) section. The researchers developed a tool to search for DLLs across the entire Windows file system that could serve as vehicles for code injection without triggering EDR alerts.
Through their exploration, Security Joes identified a vulnerable DLL called msys-2.0.dll with a 16KB RWX section in Visual Studio 2022 Community, which they used for injecting and executing their own code. They conducted several tests using this DLL to explore different methods for leveraging it to execute code in memory.
Direct Injection into a Custom Application
One method involved directly loading the vulnerable DLL into the memory space of a custom application called nightmare.exe. This approach allowed the researchers to inject and execute their own shellcode into the memory space of the application without relying on any Windows APIs. Additionally, the shellcode removed all EDR hooks without triggering alerts.
Remote Process Injection
The second tactic involved abusing the RWX section in the DLL to perform process injection in a remote process. The researchers identified binaries that used msys-2.0.dll for their operations, particularly associated with GNU utilities and POSIX emulation. They chose the ssh.exe process in Visual Studio 2022 Community as the target for injecting their code. Notably, in this injection method, there was no need to explicitly create a thread within the target process, as the process automatically executed the injected code.
Security Joes emphasizes that the DLL they used is just one example of many other vulnerable DLLs that can potentially be abused for code injection purposes. Addressing this threat requires endpoint security tools that go beyond monitoring specific APIs and DLLs and employ behavioral analysis and machine learning techniques to identify process injection.
Editorial: Balancing Security and Innovation
The development of Mockingjay highlights an ongoing battle between hackers and security researchers. As EDR systems become more advanced at detecting traditional process injection techniques, attackers are constantly innovating to find new ways to evade detection. This cat-and-mouse game underscores the importance of a holistic approach to cybersecurity.
While it is essential to have robust endpoint security tools that can detect known attack vectors, such as monitoring specific APIs and DLLs, relying solely on signature-based detection can lead to blind spots. The rise of techniques like Mockingjay demonstrates the need for behavioral analysis and machine learning to identify and stop novel attack methods.
At the same time, security measures cannot stifle innovation. DLLs play a crucial role in the Windows ecosystem, enabling software to interact with each other effectively. Efforts should be directed towards securing DLLs, scrutinizing their default permissions, and continuously patching vulnerabilities to ensure code injection methods are not easily exploitable.
Additionally, collaboration between cybersecurity researchers, software developers, and EDR vendors is crucial. Regular communication and information sharing can help identify emerging threats, develop effective mitigation strategies, and enhance the overall security of systems.
Advice for Enhancing Endpoint Security
Given the evolving nature of process injection techniques, organizations should take proactive steps to enhance their endpoint security posture. Here are some recommendations:
1. Implement a Multi-Layered Security Approach
Relying on a single security solution is no longer sufficient. Implement multiple layers of security that include firewalls, antivirus software, intrusion detection/prevention systems, and EDR tools. This diversified approach increases the chances of detecting and stopping sophisticated attacks.
2. Incorporate Behavioral Analysis and Machine Learning
Endpoint security solutions should go beyond signature-based detection and include behavioral analysis and machine learning capabilities. By analyzing patterns and deviations from normal behavior, these techniques can identify malicious activities and detect novel attack methods like Mockingjay.
3. Regularly Update and Patch Software
Keeping software and DLLs up to date with the latest patches is crucial for minimizing vulnerabilities. Organizations should establish a robust patch management process to ensure all systems are promptly updated, reducing the risk of exploitation.
4. Foster Collaboration and Information Sharing
Encourage collaboration between cybersecurity researchers, software developers, and EDR vendors. Sharing information about emerging threats, vulnerabilities, and detection techniques can enable swift response and enhance overall system security.
5. Conduct Regular Threat Hunting
Proactively search for signs of compromise by conducting regular threat hunting activities. This involves actively looking for indicators of malicious activity, such as anomalous network traffic, unusual behavior, or unauthorized access attempts.
By adopting these recommendations and remaining vigilant in the face of evolving attack techniques, organizations can significantly enhance their endpoint security posture and better defend against process injection attacks like Mockingjay.
<< photo by National Cancer Institute >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Escalating Threat of MOVEit Attacks: UCLA and Siemens Join the List
- Technology and Advocacy Collide: Understanding the Motives Behind Trans-Rights Hacktivists
- Unlocking Security: HashiCorp Acquires BluBracket to Revolutionize Secrets Scanning
- Quantum Collaboration: Strengthening Encryption for Corporate Security
- “Security Alert: Malware’s Latest Weapon – The Mockingjay Process Injection Technique”
- Patented.ai: Safeguarding AI Data Privacy with $4 Million in Funding
- How Encryption Waged War on Drugs: Inside the 3-Year Investigation That Led to a Massive Drug Seizure
- The Urgent Need for K-12 Cybersecurity Education: Mitigating Cyberattacks on Schools
