An accessibility feature built into Windows to facilitate the use of computers by people with disabilities can be abused by malware to steal data from other applications or control them in malicious ways that evades detection by most endpoint protection systems.The Windows UI Automation framework has existed since the days of Windows XP and provides a way for assistive technology programs like screen readers to interact with user interface (UI) elements of other applications.”We found that attackers can abuse UI Automation to exfiltrate data, manipulate internet browsing, execute commands, and even read and write messages from chat applications like WhatsApp or Slack,” researcher from Akamai stated in a report. “And all of this went undetected by every EDR vendor we tested.” The UI Automation framework (UIA) uses the Component Object Model (COM), a system built into Windows that allows different processes to communicate with each other programmatically through a binary interface.To opt into UIA, an application registers a COM object on the system with the CUIAutomation class UUID and UIAutomation interface UUID. This will cause the UIAutomationCore.dll to be loaded into the application as well as any other application on the system that has desktop UI elements.The application can then create event handlers to be notified about which application is brought into focus on the desktop and obtain all its UI elements and iterate through them. For example, the researcher demonstrates how on Slack, an attacker can obtain information about what conversation is open and then read all the contents of that conversation. It can also input custom text inside the textbox area and send messages programmatically.”Another option to maintain stealth without taking a passive approach is to use the caching mechanism of UIA,” the researcher said. “In addition to the UI elements currently shown on the screen that we can interact with, more elements are loaded in advance and placed in a cache. We can also interact with those elements, such as reading messages not shown on the screen, or even set the text box and send messages without it being reflected on the screen.”This, of course, works in other applications as well. For example, in the context of an online shopping website opened in the browser, an attacker could use the UIA to detect when the user is typing credit card information and exfiltrate that data.Or they could interact with the address bar to forcefully redirect the user to a malicious version of the website they currently have open. Since the user already expects to be on the website, they might not even notice the address change. For example, if the website refreshes and asks them to log in, they might think their session expired and they need to re-authenticate. This happens quite frequently on some websites, including email services, and might not raise suspicion.Since all these actions are legitimate UIA features, Windows Defender does not detect the behavior as suspicious, as neither does any other EDR product that the Akamai researcher tested. It might be even hard to build detection for this without causing false positive blocking of legitimate accessibility software that users depend on.
Another area of risk
The Akamai researcher also noted that there are further areas of research such as Distributed COM (DCOM) which allows calling COM objects between different machines and not just on the same system. UIA also opens a server and names pipes into the target applications to implement the COM-based communication and the named pipes could pave the way for privilege escalation or impersonation attacks.One limitation that Microsoft built into the system is that processes using the UI Automation framework automatically receive the medium trust level and are not allowed to interact with processes at higher privilege levels.However, this limitation can be bypassed by using a signed application with a manifest file containing the key requestedExecutionLevel.uiAccess set to true, the researcher stated.System administrators can use tools like osquery to build alerts for processes that loaded UIAutomationCore.dll and then determine if they are legitimate or not. Similar queries can be created to identify processes that opened the UI Automation named pipe. The Akamai researchers provide examples for both in their post.”While the exploitation of UIA may be more difficult than some other attacks, the fact that EDR cannot detect it may make UIA a highly attractive attack surface,” the researchers said. “In an effort to reduce its attractiveness to threat actors, Microsoft has placed some restrictions on UIA, but attackers can still take advantage of it with the proper amount of skill.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3622843/attackers-can-abuse-the-windows-ui-automation-framework-to-steal-data-from-apps.html