A newly discovered technique leverages the Windows UI Automation (UIA) framework to perform malicious activities while bypassing endpoint detection and response (EDR) solutions, according to research by Akamai security researcher Tomer Peled.
What is UI Automation?
UI Automation, introduced with Windows XP as part of the .NET Framework, provides programmatic access to user interface elements for assistive technologies, such as screen readers, and automated testing tools. It operates by interacting with system UI elements using Component Object Model (COM) as the communication mechanism.
Key capabilities of UI Automation include:
- Manipulating and monitoring UI elements.
- Gaining access to privileged system UI elements via a UIAccess flag when run with administrator rights.
Exploitation Techniques
This technique manipulates intended UI Automation features to perform malicious actions:
-
Stealthy Command Execution:
- Harvests sensitive data from active UI elements.
- Redirects browsers to phishing websites.
-
Local Attack Vectors:
- Reads and writes messages on applications like Slack or WhatsApp without alerting users.
- Interacts with off-screen elements cached by the UI framework, enabling attackers to manipulate messages or input text silently.
-
Remote UI Manipulation:
- Potentially weaponized for network-based UI manipulation attacks.
