mockingjay-process-injection

Analysis

  • The Mockingjay process injection technique is an advancement in evading security measures.
  • Threat actors exploit vulnerable DLLs and RWX permissions in existing Windows executable files to execute undetected malicious code.
  • It bypasses memory allocation, permission setup, and thread creation, posing a challenge for EDR systems.
  • Traditional process injection methods relying on specific system calls and Windows APIs are challenged by Mockingjay.
  • Recent attack techniques, such as ClickOnce exploitation, demonstrate the evolving nature of cyber threats.

Prevention

  • Patch and update vulnerable DLLs regularly.
  • Implement robust security monitoring and analysis tools.
  • Employ DLL integrity monitoring to detect unauthorized modifications.
  • Provide security awareness training to employees.
  • Utilize application sandboxing and isolation techniques.
  • Deploy behavior-based endpoint protection solutions.
  • Stay updated with threat intelligence and security practices. By following these prevention methods, organizations can significantly reduce the likelihood and impact of Mockingjay process injection attacks.

Detection

  • Implement behavior-based anomaly detection to identify unusual process behaviors and unexpected code execution.
  • Monitor memory activities for signs of unusual code execution or modifications to memory blocks.
  • Regularly perform integrity checks on DLLs to detect unauthorized modifications or replacements.
  • Monitor system events and logs for abnormal activities, such as unexpected process creation or unauthorized DLL loading.
  • Deploy advanced Endpoint Detection and Response (EDR) solutions that utilize behavior-based analysis and threat intelligence.
  • Stay updated with threat intelligence sharing communities to gather information on emerging attack techniques.
  • Perform file and memory analysis to identify indicators of process injection, such as hidden or malicious code sections.

Conduct security audits and penetration testing to proactively identify vulnerabilities. By implementing a combination of these detection methods and maintaining continuous monitoring, organizations can enhance their ability to detect and respond to Mockingjay process injection attempts.

Indicators of compromise:

Indicator type Indicator
File Indicators File Name: msys-2.0.dll (or similar vulnerable DLLs)
  File Location: Path to the DLL file
Process Indicators Process Name: nightmare.exe or ssh.exe
  Process Behavior:
  - High CPU or memory usage
  - Abnormal network connections
  - Unauthorized modifications to system files
Network Indicators IP Addresses: Suspicious or malicious IPs
  Domains: Suspicious or malicious domains
Behavioral Indicators Unusual DLL modifications
  Abnormal API calls:
  - LoadLibraryW
  - CreateProcessW
  - GetModuleInformation
  - WriteProcessMemory
  - NtWriteVirtualMemory
  - CreateRemoteThread
  - NtCreateThreadEx

References:

https://thehackernews.com/2023/06/new-mockingjay-process-injection.html 

https://www.bleepingcomputer.com/news/security/new-mockingjay-process-injection-technique-evades-edr-detection/

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.