This sneaky new malware technique aims to hijack Windows itself to avoid detection

Security researchers at Akamai have discovered that UI Automation’s accessibility feature could be abused for malicious purposes
UI automation needs to have the ability to do all the things that malware normally does, making it difficult for antivirus programs to detect them
Administrators can monitor the operating system for suspicious activity

Cybersecurity researchers at Akamai have discovered a new way to run malware on Windows devices without triggering endpoint detection and response (EDR) tools.

A report published on the Akamai blog earlier this week said that starting with Windows XP, the operating system introduced a feature called UI Automation as part of the .NET Framework. This feature is intended to provide programmatic access to user interface elements and enable assistive technologies such as screen readers to interact with applications and assist users with disabilities. It also supports automated testing scenarios by allowing developers to programmatically manipulate and retrieve information from UI components.

But if a malware were to abuse UI automation, it could execute various malicious commands without triggering security alarms: “To exploit this technique, a user must be convinced to run a program that uses UI automation,” Akamai said in its article . “This can lead to surreptitious command execution, which can capture sensitive data, redirect browsers to phishing websites, and more.”

Detect possible attacks

The new tech is essentially a port of Android as it revolves around accessibility features.

Because the malware essentially abuses an otherwise harmless intended purpose, it would be difficult for antivirus programs to flag the activity. Essentially it’s the same as Android – the Accessibility Services API has become the go-to source for malware on the platform. This is also the best way to detect malicious applications, as they all have to first ask for permission to use accessibility services.

To detect possible attacks, administrators should monitor the usage of UIAutomationCore.dll, the researchers concluded. Loading into a previously unknown process should be a cause for concern, it said. Additionally, network administrators can monitor the named pipes opened on an endpoint through the UIA, which is another indicator of usage.

You can find the details here.