Researchers from Akamai have discovered a new technique being utilized by attackers, involving the exploitation of the Framework-built UI Automation (UIA) in Windows operating systems. The UIA is a framework designed to work with user interface elements, allowing attackers to carry out malicious actions without being detected by threat detection systems like EDR.
The UIA, initially introduced in Windows XP as part of the .NET Framework, was meant to assist users with disabilities and automated testing. However, attackers have found ways to leverage its capabilities to access data, redirect browsers to phishing sites, and execute hidden commands.
According to the researchers, victims are tricked into running a specific program that uses UI Automation, enabling attackers to interact with interface elements of various applications, read messages from instant messengers, and even send messages without displaying them on the screen.
One key aspect of UI Automation is its interaction with interface elements through the IPC Component Object Model (COM) mechanism, allowing manipulation of focused application interfaces. This makes it possible for attackers to exploit standard system functions and privileges provided by UIA.
Attackers can also intercept messages that are not visible on the screen and send text without any changes being displayed in the interface, posing a significant threat to corporate applications such as Slack and WhatsApp.
While these actions may seem like normal UI Automation functionality, hackers can easily bypass UIA application privileges set by Microsoft, utilizing Framework for malicious purposes. This technique is reminiscent of attacks on Android devices that exploit special capabilities to steal data from infected devices.
The challenge with Windows systems is that the protection mechanisms interpret UIA actions as standard functions rather than threats, making them invisible to antivirus programs. It highlights how standard OS functions can be used for covert attacks, emphasizing the need for increased scrutiny of such mechanisms and restricting their usage on corporate devices.