New code injection attack works on all Windows versions
Researchers from security outfit enSilo have uncovered a new code injection technique that can be leveraged against all Windows versions without triggering current security solutions.
They’ve dubbed the technique AtomBombing, because it exploits the operating system’s atom tables.
“These tables are provided by the operating system to allow applications to store and access data. [They] can also be used to share data between applications,” enSilo’s Tal Liberman explained.
“What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”
Depending of the process in which it is injected, the malicious code could allow attackers to take screenshots, access encrypted passwords, or perform Man in the Browser (MitB) attacks.
“Being a new code injection technique, AtomBombing bypasses AV, NGAV and other endpoint infiltration prevention solutions,” Liberman explained.
“Once a code injection technique is well-known, security products focused on preventing attackers from compromising the endpoints (such as anti-virus and host intrusion prevention systems), typically update their signatures accordingly. So once the injection is known, it can be detected and mitigated by the security products.”
There is no effective way to patch this hole, as it’s not a vulnerability. The only solution is for security solutions to start monitoring API calls for malicious activity.
The success of AtomBombing depends on attackers being able to trick users into running a malicious executable, but that is still not that big of a problem.