A newly developed technique uses a Windows accessibility system called User Interface Automation (UIA) to perform a wide range of malicious activities without reporting to Endpoint Detection and Response (EDR) solutions.
“To exploit this technique, the user must be persuaded to run a program that uses UI automation,” Akamai security researcher Tomer Peled said in the report shared with The Hacker News. “This can lead to covert execution of commands that can collect sensitive data, redirect browsers to phishing websites, and more.”
Worse, local attackers can exploit this security blind spot to execute commands and read/write messages from/to messaging apps like Slack and WhatsApp. In addition, it can also be armed to manipulate interface elements over the network.
First available in Windows XP as part of the Microsoft .NET Framework, UI Automation is coming developed provide programmatic access to various user interface (UI) elements and help users manipulate them with assistive technology products such as screen readers. It can also be is used in automated testing scenarios.
“Assistive technology programs typically require access to protected elements of the system’s user interface or to other processes that can run at a higher level of privilege,” Microsoft said. notes in the supporting document. “Therefore, assistive technology applications must be trusted by the system and must run with special privileges.”
“To access higher IL processes, an assistive technology application must set the UIAccess flag in the application manifest and be launched by a user with administrative privileges.”
User interface interaction with elements in other applications is achieved using the component object model (COM) as an inter-process communication (IPC) mechanism. This provides the ability to create UIA objects that can be used to interact with the focused application by configuring an event handler that fires when certain UI changes are detected.
Akamai’s research found that this approach could also open the way for abuse, allowing attackers to read/write messages, steal data entered on websites (such as payment information), and execute commands that redirect victims to malicious websites when the currently displayed website page in the browser is being refreshed or changed.
“In addition to the UI elements currently displayed on the screen that we can interact with, additional elements are loaded in advance and cached,” Peled noted. “We can also interact with these elements, such as reading off-screen messages, or even setting a text box and sending messages off-screen.”
However, it’s worth noting that each of these malicious scripts is an intended UI automation feature, just like the Android Accessibility Services API. to become the main way for malware to extract information from compromised devices.
“It goes back to the purpose of the app: those permission levels have to exist in order to use it,” Peled added. “This is why UIA can bypass Defender – the application does not find anything unusual. If something is seen as a function rather than a bug, the machine’s logic will follow that function.”
COM to DCOM: Lateral motion attack vector
The disclosure comes when Deep Instinct revealed that distributed COM (DCOM) remote protocol that allows software components to communicate over a network can be used to remotely write custom payloads to create an embedded backdoor.
The attack “allows custom DLLs to be written to a target machine, loaded into a service, and executed with arbitrary parameters,” security researcher Eliron Neeson said. said. “This backdoor attack abuses the IMsiServer COM interface.”
However, an Israeli cybersecurity company noted that such an attack leaves clear indicators of compromise (IoC) that can be detected and blocked. Additionally, the attacker and victim machines are required to be in the same domain.
“Until now, DCOM Movement Side Attacks have been researched exclusively on IDispatch-based COM objects due to their scripting nature,” Nissan said. The new ‘Download and run DCOM‘ method “remotely writes custom payloads to the victim (Global Assembly Cache), executes them from the service context, and interacts with them, effectively functioning as a built-in backdoor.”
“The research presented here proves that many unexpected DCOM objects can be used for lateral movement, and proper defenses must be aligned.”
