- Security researchers from Akamai found UI Automation accessibility feature could be abused for malicious use
- UI Automation must be allowed to do all the things malware usually does, which makes it difficult for antivirus programs to spot it
- Admins can monitor the OS for suspicious activity
Cybersecurity researchers from Akamai have discovered a new way to get malware to run on Windows devices without triggering Endpoint Detection and Response (EDR) tools.
In a report published on the Akamai blog earlier this week, it was said that starting with Windows XP, the OS introduced a feature called UI Automation, as part of the .NET Framework. This feature is designed to provide programmatic access to user interface elements, enabling assistive technologies like screen readers to interact with applications and help users with disabilities. It also supports automated testing scenarios by allowing developers to manipulate and retrieve information from UI components programmatically.
But if a piece of malware were to abuse UI Automation, they could execute different malicious commands without triggering any security alarms: “To exploit this technique, a user must be convinced to run a program that uses UI Automation,” Akamai said in its writeup. “This can lead to stealthy command execution, which can harvest sensitive data, redirect browsers to phishing websites, and more.”
Detecting possible attacks
The new technique is essentially a port from Android, since it revolves around accessibility features.
Since the malware would essentially be abusing what’s otherwise a benign, intended use, antivirus programs would have a difficult time flagging the activity. In essence, it is the same as with Android – the accessibility services API has become the go-to way for malware on the platform. It is also the best way to spot malicious applications, since they all must ask for permission to use Accessibility Services, first.
To detect possible attacks, admins should monitor the use of UIAutomationCore.dll, the researchers concluded. It being loaded to a previously unknown process should be cause for concern, it was said. Furthermore, network admins can monitor the named pipes that are opened on an endpoint by the UIA, which is another indicator of use.
The details on how to do that can be found here.