This devious new malware technique looks to hijack Windows itself to avoid detection

Fingertip pressing keyboard key with Windows logo on it
Är du ute efter bästa VPN för Windows 10 och Windwos 11? Här är våra favoriter just nu. (Image credit: Shutterstock)

  • Security researchers from Akamai found UI Automation accessibility feature could be abused for malicious use
  • UI Automation must be allowed to do all the things malware usually does, which makes it difficult for antivirus programs to spot it
  • Admins can monitor the OS for suspicious activity

Cybersecurity researchers from Akamai have discovered a new way to get malware to run on Windows devices without triggering Endpoint Detection and Response (EDR) tools.

In a report published on the Akamai blog earlier this week, it was said that starting with Windows XP, the OS introduced a feature called UI Automation, as part of the .NET Framework. This feature is designed to provide programmatic access to user interface elements, enabling assistive technologies like screen readers to interact with applications and help users with disabilities. It also supports automated testing scenarios by allowing developers to manipulate and retrieve information from UI components programmatically.

But if a piece of malware were to abuse UI Automation, they could execute different malicious commands without triggering any security alarms: "To exploit this technique, a user must be convinced to run a program that uses UI Automation," Akamai said in its writeup. "This can lead to stealthy command execution, which can harvest sensitive data, redirect browsers to phishing websites, and more."

Detecting possible attacks

The new technique is essentially a port from Android, since it revolves around accessibility features.

Since the malware would essentially be abusing what’s otherwise a benign, intended use, antivirus programs would have a difficult time flagging the activity. In essence, it is the same as with Android - the accessibility services API has become the go-to way for malware on the platform. It is also the best way to spot malicious applications, since they all must ask for permission to use Accessibility Services, first.

To detect possible attacks, admins should monitor the use of UIAutomationCore.dll, the researchers concluded. It being loaded to a previously unknown process should be cause for concern, it was said. Furthermore, network admins can monitor the named pipes that are opened on an endpoint by the UIA, which is another indicator of use.

The details on how to do that can be found here.

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Phone scammer
Microsoft thinks it could stop this dangerous scam forever
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 23 (game #385)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 23 (game #651)
Google Pixel 9 Pro Fold main display opened
Apple is rumored to be prioritizing battery life on the foldable iPhone – which could also feature a liquid metal hinge for added durability
Google Pixel 9
The Google Pixel 10 just showed up in Android code – and may come with a useful speed boost
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras