A newly uncovered malware technique is exploiting Windows‘ UI Automation (UIA) framework to bypass endpoint detection and response (EDR) tools, allowing malicious activities to go undetected. Originally designed to assist users with disabilities by providing programmatic access to UI elements, UIA is also used in automated testing environments. However, researchers have found that attackers can leverage this framework to perform a range of malicious actions without triggering alarms in security systems. This technique involves using UIA to execute commands, harvest sensitive data, and redirect browsers to phishing sites.
One of the key features of this attack is the ability to interact with hidden UI elements. By manipulating the Component Object Model (COM) to communicate between processes, attackers can access elements in other applications, including messaging services like Slack and WhatsApp. This enables the reading and writing of messages or commands, even if the content isn’t visible on the screen. It also allows attackers to manipulate applications over a network, giving them the ability to hijack communication and execute remote attacks.
In addition to the immediate threat to data security, this exploit can also be used to steal sensitive information such as payment details entered on websites. The ability to interact with both visible and cached UI elements allows attackers to silently steal data without leaving obvious traces. The exploit’s stealthy nature arises from the fact that these actions are part of the legitimate functionality of UI Automation, making it difficult for traditional security tools to identify the malicious behavior.
This research underscores the importance of securing every component of a system, particularly those designed for accessibility. As malware evolves to exploit features initially intended for legitimate purposes, it becomes increasingly difficult for security software to distinguish between normal and malicious actions. The discovery of this UIA-based attack technique highlights the need for more robust and comprehensive security measures that account for both traditional and novel attack vectors, ensuring that all system components, even those intended for accessibility, are protected against exploitation.
Reference:
