Cyber security researchers have exposed a novel way which allows malware to inject malicious code into other processes without being detected by AV (Antivirus) software and other endpoint security systems.
This new technique showcased by the team of security researchers showcased Ensilo calls the technique “AtomBombing” since it relies on the Windows auto tables mechanism.
These special tables are provided by the OS and can be used to share data across applications. This code injection exploit affects all versions of Windows. The method exploits atom tables to bypass the security sandbox.
Attackers could inscribe malicious code to an atom table and force a program to retrieve it. The exploit is not based on a flaw, but instead, on the operating system design.
As per Tai, the Ensilo researcher “What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table”. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”
The technique of AtomBombing
AtomBombing principally works in three main stages:
- Write-What-Where – Writing arbitrary data to arbitrary locations in the target process’s address space.
- Execution – Hijacking a thread of the target process to execute the code written in stage 1.
- Restoration – Cleaning up and restoring the execution of the thread hijacked in stage 2.
It is crucial to be aware of that, this new code injection technique is not currently identified and detected by antivirus and endpoint security software’s in the wild primarily because it is based on a legitimate functionality of the operating system. Also as well, the atom tables mechanism is present in all the Windows versions and is not something which can be patched as such, for the reason that it’s actually not a full prone vulnerability.
As per the Ensilo security researcher, “being a new code injection technique, AtomBombing bypasses [antivirus] and other endpoint infiltration prevention solutions,”.
The detailed analysis of the AtomBombing technique can be found here.
The researchers in action
The security researcher from Ensilo and their new way to leverage mechanisms of the underlying windows OS in order to inject malicious code is valuable. at the same time, it is crucial and dangerous since threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection.
AtomBombing was tested primarily against Windows 10 and as per the researchers this issue cannot be patched since it doesn’t rely on broken or flawed code – but rather the design on how these operating systems operate.
What is code injection?
Code injection is a prevalent attack technique utilized by hackers and cyber criminals when attempting to inject malicious code or malware onto legitimate programs, which in turn makes it easier for them to bypass security programs, operate while remaining hidden from the targeted user and grab sensitive information from systems (data exfiltration), which would otherwise have been inaccessible.
As per described by the security researcher from Ensilo, “For example, let’s say an attacker was able to persuade a user to run a malicious executable, evil.exe. Any kind of decent application level firewall installed on the computer would block that executable’s communication. To overcome this issue, evil.exe would have to find a way to manipulate a legitimate program, such as a web browser, so that the legitimate program would carry out communication on behalf of evil.exe.”
Code injections can certainly be considered to be an invaluable means for hackers, since they provide them with the ability to bypass various security protocols, including process level restrictions. Moreover, it gives attackers the ability to take screenshots and send them back to the attackers, execute Man in the Browser attacks, which involve making modifications to the content displayed to the user, and access encrypted passwords.
Malicious programs and cybercriminals also use code injection techniques for further numerous reasons. For an instance, Trojans targeting Banking, Financial services and Insurance (BFSI) inject malicious code into browser processes to monitor and modify locally displayed websites – usually banking websites. This lets them steal login credentials and payment card details or to secretly redirect transactions to their accounts.
Code injection is also usually used to bypass restrictions which allow certain types of data to be accessed only by specific processes. For example, this attack technique can be used to snip encrypted passwords from other applications or to take screenshots of the user’s desktop if the malware process itself doesn’t have the required privileges.
There are a couple of well-known code injection techniques which many endpoint security products already have mechanisms in place to detect them.
Injection techniques – in depth
There are quite a few reasons why code injection is useful. An attacker may use code injection, for example, to:
- Bypass process level restrictions: Many security products employ a whitelist of trusted processes. If the attacker is able to inject malicious code into one of those trusted processes, the security product can easily be bypassed.
- Access to context-specific data.Some data is only accessible to certain processes, while inaccessible to others. For example:
- Taking screenshots – A process that takes a screenshot of the user’s screen, must run within the context of the user’s desktop. However, more often than not malware will be loaded into the services desktop, not the user’s, preventing the malware from taking a screenshot of the user’s desktop. Using code injection, a malware can inject code into a process that’s already running on the user’s desktop, take a picture and send it back to the malware in the services desktop.
- Performing Man in the Browser (MitB) attacks – By injecting code into a web browser an attacker can modify the content shown to the user. For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens. However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount. In a MitB attack, the customers are unaware of the money being funneled out of their account until it’s too late.
- Accessing encrypted passwords – Google Chrome encrypts the user’s stored passwords by using Windows Data Protection API (DPAPI). This API uses data derived from the current user to encrypt/decrypt the data and access the passwords. In this scenario, a malware that is not running in the context of the user will not be able to access the passwords. However, if the malware injects code into a process that’s already running in the context of the current user, the plain-text passwords can be easily accessed.
Code Injections in the Past
Currently, there are just a handful of known code injection techniques. A list of several of these can be found here. Recently the security researchers from the same team found a new code injection technique called PowerLoaderEx. PowerLoaderEx enables an attacker to inject code without needing to actually write code or data to the injected process.
Once a code injection technique is well-known, security products focused on preventing attackers from compromising the endpoints (such as anti-virus and host intrusion prevention systems), typically update their signatures accordingly. So once the injection is known, it can be detected and mitigated by the security products.
Being a new code injection technique, AtomBombing bypasses AV, NGAV, and other endpoint infiltration prevention solutions.
AtomBombing is performed just by using the underlying Windows mechanisms. There is no need to exploit operating system bugs or vulnerabilities.
Since the issue cannot be fixed, there is no notion of a patch for this. Thus, the direct mitigation answer would be to tech-dive into the API calls and monitor those for malicious activity.
It’s important though at this point to take a step back. AtomBombing is one more technique in the attacker’s toolbox. Threat actors will continuously take out a tool – used or new – to ensure that they bypass anti-infiltration technologies (such as AV, NGAV, HIPS, etc).
A senior threat analyst from a security firm informed that even if an attack doesn’t exploit a software vulnerability or bug, security vendors could potentially detect and block the malicious payload.
If the payload does get executed (forcefully or from an illegal resource) and tries to insert malicious code into a legitimate application, the attempt could still be detected and blocked since security solutions (such as anti-virus and anti-malware solutions) often monitor processes and services throughout their entire execution lifetime.
Obviously, we need to find a more improved way to deal with threat actors. Under the assumption that threat actors will always exploit known and unknown techniques, we need to build our defenses in a way that prevents the consequences of the attack once the threat actor has already compromised the environment
To help avoid malware infection, Microsoft encourages its customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers, a Microsoft representative said in an emailed statement. “A system must already be compromised before malware can utilize code injection techniques.”