Attacker are researching to find out the new techniques that could allow them to run a specious files that looks legitimate but is actually malicious, according to the research team at Cyberbit.
The component object model (COM) hijacking technique, which is usually used for attackers as a persistence mechanism, also it has evasive capabilities.
A proof of concept experiment which were run by the Cyberbit research team and detailed in today’s blog post reveals that actually the team has discovered hundreds of registry keys which were vulnerable to this attack. While most of the modern malware creators who use the code injection is to run the code within the context of a legitimate, whitelisted process, like a web browser.
Researchers have written that their findings were alarming. “Another troubling findings is the fact that adding these DLLs doesn’t even require a boot. Since most of the keys were affected immediately upon running the target process, some keys did not even require execution of the target process for a process which is already running such ‘Explorer.exe.’”
By using this technique the attackers have the complete legally load to run the malware while evading the detection, which is making it very easy for attackers to implement because it does not require the sophisticated code injection. While, yet it does have the privileges to perform any of sensitive actions, like connecting to the internet, according to the researcher.
“The purpose of this research was to uncover the scope of the problem, which is often overlooked by security products,” said Meir Brown, the director of research at Cyberbit. “The scope of the risk is wide since we have seen many critical windows processes which can load COM objects without verification. This generates an easy method of injection and persistence with minimal visibility.”
“The mitigation is to have a security solution which alerts on COM hijacking and to monitor any system error carefully since it may imply on COM hijacking,” Brown said.
“In addition, I would suggest carefully monitoring the specific registry keys like the one we have presented in our report which were used to load the popular COM objects.”