Attackers are leveraging a new technique that allows them to run a specious file that looks legitimate but is actually malicious, according to the research team at Cyberbit. The component object model (COM) hijacking technique, usually used for attackers as a persistence mechanism, also has evasive capabilities.
A proof-of-concept experiment run by the Cyberbit research team and detailed in today's blog post reveals that the team discovered that hundreds of registry keys were vulnerable to this attack. While most modern malware creators use code injection to disguise malicious behavior within benign activity, the idea with COM hijacking is to run code within the context of a legitimate, whitelisted process, like a web browser.
Researchers wrote that their findings were alarming. “Another troubling finding is the fact that adding these DLLs doesn’t even require a boot. Since most keys were affected immediately upon running the target process, some keys did not even require execution of the target process for a process which is already running such 'Explorer.exe.'”
Using this technique, attackers are able to legally load and run the malware while evading detection, making it very easy for attackers to implement because it does not require sophisticated code injection. Yet it does have the privileges to perform sensitive actions, like connecting to the Internet, according to researchers.
“The purpose of this research was to uncover the scope of the problem, which is often overlooked by security products,” said Meir Brown, director of research at Cyberbit. “The scope of the risk is wide since we have seen many critical windows processes which load COM objects without verification. This generates an easy method of injection and persistence with minimal visibility."
"The mitigation is to have a security solution which alerts on COM hijacking and to monitor any system error carefully since it may imply on COM hijacking," Brown said. "In addition, I would suggest carefully monitoring specific registry keys like the one we present in our report which are used to load popular COM objects.”