A newly devised method leverages a Home windows accessibility framework referred to as UI Automation (UIA) to carry out a variety of malicious actions with out tipping off endpoint detection and response (EDR) options.
“To exploit this technique, a user must be convinced to run a program that uses UI Automation,” Akamai safety researcher Tomer Peled stated in a report shared with The Hacker Information. “This can lead to stealthy command execution, which can harvest sensitive data, redirect browsers to phishing websites, and more.”
Even worse, native attackers may reap the benefits of this safety blindspot to execute instructions and skim/write messages from/to messaging purposes like Slack and WhatsApp. On high of that, it may be doubtlessly weaponized to control UI components over a community.
First accessible in Home windows XP as a part of the Microsoft .NET Framework, UI Automation is designed to supply programmatic entry to numerous person interface (UI) components and assist customers manipulate them utilizing assistive know-how merchandise, corresponding to display screen readers. It can be used in automated testing situations.
“Assistive technology applications typically need access to the protected system UI elements, or to other processes that might be running at a higher privilege level,” Microsoft notes in a help doc. “Therefore, assistive technology applications must be trusted by the system, and must run with special privileges.”
“To get access to higher IL processes, an assistive technology application must set the UIAccess flag in the application’s manifest and be launched by a user with administrator privileges.”
The UI interactions with components in different purposes are achieved by making use of the Part Object Mannequin (COM) as an inter-process communication (IPC) mechanism. This makes it potential to create UIA objects that can be utilized to work together with an software that is in focus by organising an occasion handler that is triggered when sure UI modifications are detected.
Akamai’s analysis discovered that this method may additionally open up an avenue for abuse, permitting malicious actors to learn/write messages, steal knowledge entered in web sites (e.g., cost data), and execute instructions that redirect victims to malicious web sites when a at the moment displayed net web page in a browser refreshes or modifications.
“In addition to the UI elements currently shown on the screen that we can interact with, more elements are loaded in advance and placed in a cache,” Peled famous. “We can also interact with those elements, such as reading messages not shown on the screen, or even set the text box and send messages without it being reflected on the screen.”
That stated, it bears noting that every of those malicious situations is an meant function of UI Automation, identical to how Android’s accessibility companies API has turn into a staple approach for malware to extract data from compromised gadgets.
“This goes back to the intended purpose of the application: Those permissions levels have to exist in order to use it,” Peled added. “This is why UIA is able to bypass Defender — the application finds nothing out of the ordinary. If something is seen as a feature rather than a bug, the machine’s logic will follow the feature.”
From COM to DCOM: A Lateral Motion Assault Vector
The disclosure comes as Deep Intuition revealed that the Distributed COM (DCOM) Distant Protocol, which permits software program parts to speak over a community, may very well be exploited to remotely write customized payloads to create an embedded backdoor.
The assault “allows the writing of custom DLLs to a target machine, loading them to a service, and executing their functionality with arbitrary parameters,” safety researcher Eliran Nissan stated. “This backdoor-like attack abuses the IMsiServer COM interface.”
That stated, the Israeli cybersecurity firm famous that an assault of this type leaves clear indicators of compromise (IoCs) that may be detected and blocked. It additional requires the attacker and sufferer machines to be in the identical area.
“Until now, DCOM lateral movement attacks have been exclusively researched on IDispatch-based COM objects due to their scriptable nature,” Nissan stated. The brand new ‘DCOM Add & Execute‘ technique “remotely writes custom payloads to the victim’s [Global Assembly Cache], executes them from a service context, and communicates with them, effectively functioning as an embedded backdoor.”
“The research presented here proves that many unexpected DCOM objects may be exploitable for lateral movement, and proper defenses should be aligned.”
