A newly discovered malware technique leverages a Windows accessibility framework, UI Automation (UIA), to perform a variety of malicious operations while evading endpoint detection and response (EDR) tools.
"To exploit this technique, a user must be convinced to run a program that uses UI Automation," explained Akamai security researcher Tomer Peled in a report shared with The Hacker News. "This can lead to stealthy command execution, harvesting sensitive data, redirecting browsers to phishing sites, and more."
Exploiting a Security Blindspot
The implications of this technique extend far beyond individual users. Local attackers can utilize this blindspot to execute commands and intercept messages from popular applications like Slack and WhatsApp. Additionally, this method could potentially be weaponized to manipulate UI elements remotely over a network.
First introduced with Windows XP as part of the Microsoft .NET Framework, UI Automation provides programmatic access to user interface (UI) elements. It was originally designed to aid assistive technologies, such as screen readers, and to support automated testing scenarios.
Microsoft’s documentation underscores the trust requirements inherent in the framework:
"Assistive technology applications typically need access to protected system UI elements or processes running at higher privilege levels. Therefore, such applications must be trusted by the system and operate with special privileges."
To access higher-integrity-level (IL) processes, an application must set the UIAccess flag in its manifest and be launched by a user with administrator privileges.
The Mechanism of Exploitation
UI Automation interactions rely on the Component Object Model (COM) as an inter-process communication (IPC) mechanism. This allows malicious actors to create UIA objects capable of interacting with applications in focus. Event handlers can be configured to trigger specific actions when certain UI changes occur.
Akamai’s research revealed that this feature could be exploited to:
Read or write messages in messaging apps without user awareness.
Extract sensitive data entered on websites, such as payment information.
Redirect victims to malicious websites by hijacking browser sessions when web pages refresh or change.
"In addition to interacting with visible UI elements, cached elements loaded in advance can also be manipulated," Peled noted. "This includes reading off-screen messages or modifying text boxes without those changes appearing on the user’s screen."
A Feature, Not a Bug
These malicious activities exploit the intended functionality of UI Automation, similar to how Android’s Accessibility Services API has been widely abused by malware to extract information from compromised devices.
"Permissions for these features exist by design," Peled added. "That’s why UIA bypasses Defender; the system doesn’t recognize these actions as malicious. If it’s seen as a feature rather than a bug, the system treats it accordingly."
From COM to DCOM: Expanding Attack Vectors
In a related disclosure, Deep Instinct researchers identified a new attack vector involving the Distributed COM (DCOM) Remote Protocol. This protocol, which facilitates network communication between software components, can be exploited to deploy backdoors.
"The attack allows the writing of custom DLLs to a target machine, loading them into a service, and executing arbitrary parameters," explained security researcher Eliran Nissan. "This backdoor-like method abuses the IMsiServer COM interface."
The "DCOM Upload & Execute" technique enables attackers to remotely write custom payloads to the victim’s Global Assembly Cache (GAC). These payloads are executed in a service context, effectively creating an embedded backdoor. However, this method leaves clear indicators of compromise (IoCs) that can aid in detection and prevention.
"Until now, DCOM lateral movement attacks have primarily focused on IDispatch-based COM objects due to their scriptable nature," Nissan noted. "This new method demonstrates that many overlooked DCOM objects could be exploited, necessitating stronger defensive measures."
Key Takeaway
Both UI Automation and DCOM attacks exploit legitimate features, emphasizing the importance of enhanced monitoring of trusted system processes to detect misuse. Cybersecurity professionals must remain vigilant and adopt robust defenses to address these evolving threats.