EDR bypass possible with novel Mockingjay process injection technique

BleepingComputer reports that threat actors could leverage the new Mockingjay process injection technique to facilitate the deployment of malware without being detected by endpoint detection and response systems. Mockingjay combines legitimate dynamic link libraries and read, write, and execute sections to bypass EDR hooks for malicious code injections, unlike other process injection techniques that require Windows APIs and other system calls, as well as special permissions, a report from Security Joes showed. Researchers were able to develop the novel process injection approach through the use of a vulnerable DLL and a default RWX section, which has been altered to enable malicious code loading without the need for more permissions. "By leveraging this pre-existing RWX section, we can take advantage of the inherent memory protections it offers, effectively bypassing any functions that may have already been hooked by EDRs. This approach not only circumvents the limitations imposed by userland hooks but also establishes a robust and reliable environment for our injection technique," said researchers, who then proceeded to create self-injection and remote process injection methods.