Analysis
- The Mockingjay process injection technique is an advancement in evading security measures.
- Threat actors exploit vulnerable DLLs and RWX permissions in existing Windows executable files to execute undetected malicious code.
- It bypasses memory allocation, permission setup, and thread creation, posing a challenge for EDR systems.
- Traditional process injection methods relying on specific system calls and Windows APIs are challenged by Mockingjay.
- Recent attack techniques, such as ClickOnce exploitation, demonstrate the evolving nature of cyber threats.
Prevention
- Patch and update vulnerable DLLs regularly.
- Implement robust security monitoring and analysis tools.
- Employ DLL integrity monitoring to detect unauthorized modifications.
- Provide security awareness training to employees.
- Utilize application sandboxing and isolation techniques.
- Deploy behavior-based endpoint protection solutions.
- Stay updated with threat intelligence and security practices. By following these prevention methods, organizations can significantly reduce the likelihood and impact of Mockingjay process injection attacks.
Detection
- Implement behavior-based anomaly detection to identify unusual process behaviors and unexpected code execution.
- Monitor memory activities for signs of unusual code execution or modifications to memory blocks.
- Regularly perform integrity checks on DLLs to detect unauthorized modifications or replacements.
- Monitor system events and logs for abnormal activities, such as unexpected process creation or unauthorized DLL loading.
- Deploy advanced Endpoint Detection and Response (EDR) solutions that utilize behavior-based analysis and threat intelligence.
- Stay updated with threat intelligence sharing communities to gather information on emerging attack techniques.
- Perform file and memory analysis to identify indicators of process injection, such as hidden or malicious code sections.
Conduct security audits and penetration testing to proactively identify vulnerabilities. By implementing a combination of these detection methods and maintaining continuous monitoring, organizations can enhance their ability to detect and respond to Mockingjay process injection attempts.
Indicators of compromise:
Indicator type | Indicator |
File Indicators | File Name: msys-2.0.dll (or similar vulnerable DLLs) |
File Location: Path to the DLL file | |
Process Indicators | Process Name: nightmare.exe or ssh.exe |
Process Behavior: | |
- High CPU or memory usage | |
- Abnormal network connections | |
- Unauthorized modifications to system files | |
Network Indicators | IP Addresses: Suspicious or malicious IPs |
Domains: Suspicious or malicious domains | |
Behavioral Indicators | Unusual DLL modifications |
Abnormal API calls: | |
- LoadLibraryW | |
- CreateProcessW | |
- GetModuleInformation | |
- WriteProcessMemory | |
- NtWriteVirtualMemory | |
- CreateRemoteThread | |
- NtCreateThreadEx |
References:
https://thehackernews.com/2023/06/new-mockingjay-process-injection.html
https://www.bleepingcomputer.com/news/security/new-mockingjay-process-injection-technique-evades-edr-detection/