Thanks to the work of some researchers of Security Joes a new code injection technique called Mockingjay has been identified.
The same authors of the discovery (Thiago Peixoto, Philip Duarte e Gone No), in a shared relationship with The Hacker Newsdescribed this new strategy as one of a kind.
The same, in fact, provides for the use of a vulnerable DLL files and copying a code within it. On the other hand, this method of attack is certainly not new in the field of information security.
In most cases, including the Mockingjay technique, the DLL files are targeted (Dynamic Link Library) going through the execution of the API Of Windows. What makes this system very dangerous, however, is its impressive evasion ability.
Mockingjay bypasses most defenses – this is how this technique works
To distinguish Mockingjay from the most common injection systems, there is the fact that it does not need to pass through the Windows APIs, usually monitored by antivirus and similar systems.
In fact, with this system, the file is exploited msys-2.0.dll which, due to its characteristics, is ideal for an injection attack (offering 16KB of space available to the malicious agent).
According to the researchers “The uniqueness of this technique lies in the fact that it is not necessary to allocate memory, set permissions or create a new thread within the target process to start the execution of the injected code” then adding “This differentiation distinguishes the strategy from other existing techniques and makes it difficult for Endpoint Detection and Response (EDR) systems to detect such activity“.
The upshot is that, as it stands, Mockingjay can put most of the antivirus on the market in difficulty.
In this regard, to avoid potential problems, it is advisable to rely on proven value security suites and keep any type of software on your computer up to date.
