Researchers have identified a way attackers could use atom tables in all versions of Windows to inject malicious code into a computer and bypass detection by security products at the same time.
The technique has been nicknamed AtomBombing by researchers at enSilo, and opens the door to perform man-in-the-browser attacks, access encrypted passwords, or remotely take screenshots of targeted systems.
AtomBombing does not exploit a Windows vulnerability and cannot be fixed with a patch. EnSilo urges security professionals to monitor for ion in API calls to fend off possible attacks.
“,” Tal Liberman, security research team leader at enSilo, said
Atom tables, Liberman describes, are a function of the operating system that allows applications to store and access temporary data and to share data between applications.
“What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table,” he wrote. “We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”
The prerequisite for the attack requires a target be tricked into running a malicious executable, either via a malicious download or executing a malicious email attachment. Once that is achieved, attackers can inject code into legitimate processes to “remain stealth in a system to do things like evade security products,” enSilo said.
“Any kind of decent application level firewall installed on the computer would block that executable’s communication,” Lieberman notes. The AtomBombing technique is able to bypass protections built into programs, such as a web browser.
Impacted programs can be leveraged to decrypt any stored passwords by the program. An attacker could also inject code into a web browser to modify content accessed by the user in the context of a man-in-the-middle browser attack. In another attack scenario, code injection could be used to take screenshots of a targeted user’s desktop, Lieberman said.
Several similar code injection techniques have been identified by researchers earlier this year. In April, an obscure Windows Server 2003 feature called hotpatching was being targeted by a group called Platinum which figured out how to inject malicious code into running processes without having to reboot the server.