Malware Exploits Windows UI Tools to Bypass Security

Malware creators have discovered a way to exploit Windows UI Automation (UIA), a framework initially designed to help users with accessibility needs. This new technique enables attackers to perform malicious activities while avoiding detection by endpoint detection and response (EDR) tools.

To execute this attack, users must run a program that uses UI Automation. Once activated, it can stealthily execute commands, harvest sensitive information, and redirect browsers to phishing sites. For example, attackers could read and send messages from applications like Slack or WhatsApp without the user’s awareness.

How UI Automation Became a Vulnerability

UI Automation, introduced with Windows XP in the .NET Framework, allows programs to access user interface (UI) elements for assistive technologies like screen readers. It also supports automated testing. By design, these applications require privileged access to interact with protected UI elements and other processes, making them a target for abuse.

Attackers leverage the Component Object Model (COM) for inter-process communication, allowing them to create UIA objects that interact with applications. This interaction includes monitoring UI changes, executing commands, and manipulating UI elements remotely. These capabilities are intended features of UIA but can also facilitate malicious activities.

Potential Impact

A report highlighted how this method could enable reading or modifying cached UI elements, such as unseen messages or sensitive website data. Attackers could even send messages or alter browser content without the user noticing changes on their screen. These actions exploit the framework’s legitimate permissions, making them invisible to standard security tools like Microsoft Defender.

The misuse of UIA is reminiscent of how Android’s accessibility services have been exploited by malware. Features intended to enhance user experience inadvertently create opportunities for malicious actors.

Preventing Exploitation

Organizations can mitigate these risks by restricting access to UI Automation for untrusted applications. Users should avoid running unverified programs and ensure their systems are updated. Security teams should employ advanced behavior-based monitoring tools to detect abnormal interactions with UI components. Collaboration between developers and security experts is essential to close these gaps and secure these frameworks.