Security Researchers Discover AtomBombing — An Injection Code that Infects Multiple Processes in Windows leading to malware installation.
Ensilo’s security researchers have identified a unique method that allows injection of malicious code into multiple processes without getting identified by any endpoint security system or antivirus software. This method has been labeled as AtomBombing
It has been named so because it depends on the Windows atom tables’ mechanism; these are specially designed tables that are provided by the operating system. The tables can be used for initiating data sharing between various applications.
According to Tai Liberman, a researcher at Ensilo, the team at the firm has discovered “a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table.”
In a blog post, Ensilo researcher wrote that “we also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”
The reason why this latest code-injection remains undetected by antiviruses and endpoint security systems is that it is based on genuine and legitimate mechanism and that the mechanism of atom tables is currently part of all versions of Windows OS. Therefore, it is too difficult to release a patch considering that it does not indicate any vulnerability.
There are numerous reasons behind using code injection method in malware such as in banking Trojans the code injection can infect browser processes to observe and change locally visited websites while using banking websites. Due to this feature, hackers are able to steal login credentials as well as payment card information. They also can redirect any transaction to their own account.
Moreover, the malicious code injection can help attackers in bypassing limitations that let only a certain data to be accessed by particular processes only. Such as, for stealing encrypted passwords used for another application the code injection can help or it may also aid in capturing screenshots of the user’s desktop despite the malware process doesn’t have the necessary privilege.
Liberman also wrote that “being a new code injection technique, AtomBombing bypasses [antivirus] and other endpoint infiltration prevention solutions.”
Bitdefender’s senior threat analyst Liviu Arsene stated that even if the attack is not targeted towards exploiting any software weakness, security vendors can detect or delete/block the malicious payload. Hence, if the payload still gets executed and attempts to inject the malicious code into an authentic application then it would be possible to detect and block it. That’s because security vendors usually monitor processes and services across their execution lifespan.
Microsoft has urged that its customers must observe safe and responsible computing practices in order to avoid malware infection through AtomBombing. These practices include avoiding clicking on unreliable links to web pages, downloading or opening suspicious files or documents sent from unknown sources and be cautious while accepting file transfers.