top of page
Writer's pictureInception Security

Understanding the Mockingjay Malware

Cybersecurity is a lot like a game of chess. You must anticipate your opponent's moves and devise strategies to stop them. But what happens when the opponent changes the rules of the game? A new threat called the Mockingjay malware shows us how crucial foresight is in cybersecurity.


Recently, a new process injection technique, Mockingjay, has been discovered, making waves in cybersecurity. This malware can bypass security solutions to execute malicious code on compromised systems. But what makes this malware particularly menacing? And how does it work?


The Mechanics of Mockingjay Malware


To understand Mockingjay, we first must understand what a process injection is. It's a technique that allows adversaries to inject code into processes, often used to evade process-based defenses and elevate privileges.


Some well-known process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, and more. These methods typically involve using Windows APIs and system calls, allowing defenders to craft appropriate detection and mitigation procedures.


Mockingjay, however, stands apart from these methods. It subverts these security layers by eliminating the need to execute Windows APIs usually monitored by security solutions. Instead, it leverages pre-existing Windows portable executable files with a memory block protected with Read-Write-Execute (RWX) permissions. In other words, it uses a "loophole" in the system to fly under the radar.


The Kill Chain Analysis


The first step in the Mockingjay attack is to find a vulnerable DLL with a default RWX section to load malicious code. Researchers have discovered the DLL msys-2.0.dll, which has a default RWX section of 16 KB, as a suitable candidate for this task.


Next, the attackers use two methods- self-injection and remote process injection- to achieve code injection.


In the first approach, a custom application loads the vulnerable DLL into its memory space and executes the desired code using the RWX section. Then, a clean system module, NTDLL.DLL, is abused for extracting syscall numbers, which are used to bypass Endpoint Detection and Response (EDR) hooks, allowing the injected code to run undetected.


In the second method, the vulnerable DLL injects a payload into a remote process, specifically the "ssh.exe" process. The custom application launches ssh.exe as a child process, opens a handle to the target process, and injects the malicious code onto the RWX memory space of the vulnerable DLL.


Finally, the injected code establishes a reverse shell with the attacker's machine, successfully evading EDR solutions.


Why is Inception Security Essential for Businesses?


As you can see, Mockingjay is a serious threat that adversaries could exploit to bypass security solutions, making it more critical than ever to have robust cybersecurity measures in place.


This is where Inception Security comes in. At Inception Security, we believe that "Cybersecurity is about foresight, it is about anticipating the hackers' moves and devising countermeasures to stop them in their tracks".


With sophisticated malware like Mockingjay on the rise, your business needs a security partner to keep you ahead of these evolving threats. Inception Security's advanced cybersecurity solutions are designed to anticipate and counteract such tactics, securing your digital assets against even the most cunning cyber adversaries.


Our state-of-the-art solutions can help protect your business from threats like Mockingjay by providing comprehensive monitoring and threat detection capabilities. These capabilities are essential, as Mockingjay uses Windows APIs such as 'LoadLibraryW,' 'CreateProcessW,' and 'GetModuleInformation' to load a misconfigured DLL and find the address of the DLL's RWX section. It does not use APIs such as 'WriteProcessMemory,' 'NtWriteVirtualMemory,' 'CreateRemoteThread,' or 'NtCreateThreadEx,' which are more commonly invoked in traditional process injection attacks and thus commonly monitored by EDRs.


By providing robust security defenses and leveraging our expertise in threat intelligence, Inception Security can help detect and respond to such sophisticated threats before they cause harm to your organization.


In conclusion, discovering the Mockingjay malware underscores the importance of staying vigilant and proactively approaching cybersecurity. It is no longer enough to react to threats as they occur; businesses must anticipate these threats and have the right measures in place to prevent them.

Comments


bottom of page