Hacker Successfully Evades EDR with Jay-Mocking Technique

A new method called “Mockingjay” has been identified by security researchers to introduce code into legitimate processes, making it possible for attackers to bypass popular EDR solutions and other types of protection. As a result, attackers can easily perform malicious code on infected systems and thus ensure a secretive performance. Security Jones specialists have explained that the new method involves using legitimate DLL files with RWX sections to avoid EDR checks.

The technique of code introduction into processes is an arbitrary code performance mechanism that enables the attacker to run malicious code in a neglected process’s address space that the operating system trusts. Attackers use Windows API and various system calls that create a stream in the target process, record the process, etc., for introducing code into processes using DLL implication, PE implication, flow capture, process devastation, and other techniques.

The cybersecurity tools that track specific actions in the above list may detect these attacks and terminate them quickly. However, Security Jones researchers have claimed that Mockingjay is different from other common approaches since it does not misuse Windows API. To develop this method, the researchers found a vulnerable DLL file called “msys-2.0.dll,” which has a default RWX section that they can use to change its contents and load malicious code without obtaining additional permissions that could raise suspicions of program security.

The purpose of the researchers behind the development of this method to find a suitable DLL-file that can allow them to bypass EDR algorithms effectively. This approach not only bypasses the restrictions imposed by user hooks but also creates a stable and reliable environment for the implementation technique.

The technical details of the Mockingjay method are available in the Security Jones technical report for those who wish to view them. The development of Mockingjay is a visual demonstration of why organizations should use a comprehensive approach to security rather than relying solely on existing EDR solutions.

The report highlights the importance of creating obstacles for hackers to reduce the likelihood of successful attacks on systems. Therefore, it is essential to take every possible security measure to ensure the safety of systems and prevent any malicious activities.

LinkDescription
Security JonesLearn more about their findings

/Reports, release notes, official announcements.