• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

AtomBombing: A Code Injection that Bypasses Current Security Solutions

Joined
Jan 5, 2006
Messages
11,978 (2.09/day)
System Name Desktop / Laptop
Processor Intel i7 6700K @ 4.5GHz (1.270 V) / Intel i3 7100U
Motherboard Asus Z170 Pro Gaming / HP 83A3 (U3E1)
Cooling Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut + 5 case fans / Fan
Memory 16GB DDR4 Corsair Vengeance LPX 3000MHz CL15 / 8GB DDR4 HyperX CL13
Video Card(s) MSI RTX 2070 Super Gaming X Trio / Intel HD620
Storage Samsung 970 Evo 500GB + Samsung 850 Pro 512GB + Samsung 860 Evo 1TB x2 / Samsung 256GB M.2 SSD
Display(s) 23.8" Dell S2417DG 165Hz G-Sync 1440p / 14" 1080p IPS Glossy
Case Be quiet! Silent Base 600 - Window / HP Pavilion
Audio Device(s) SupremeFX Onboard / Realtek onboard + B&O speaker system
Power Supply Seasonic Focus Plus Gold 750W / Powerbrick
Mouse Logitech MX Anywhere 2 Laser wireless / Logitech M330 wireless
Keyboard RAPOO E9270P Black 5GHz wireless / HP backlit
Software Windows 10 / Windows 10

"Our research team has uncovered new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection. We named this technique AtomBombing based on the name of the underlying mechanism that this technique exploits.

AtomBombing affects all Windows version. In particular, we tested this against Windows 10.

Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.
"

Code Injection 101
"The issue we revealed presents a way for threat actors to inject code. Attackers use code injection to add malicious code into legitimate processes, making it easier to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable.

For example, let’s say an attacker was able to persuade a user to run a malicious executable, evil.exe. Any kind of decent application level firewall installed on the computer would block that executable’s communication. To overcome this issue, evil.exe would have to find a way to manipulate a legitimate program, such as a web browser, so that the legitimate program would carry out communication on behalf of evil.exe.

This manipulation technique is known as code injection.
"

Code Injection: An Important Tool in the Attacker’s Toolbox
"There are quite a few reasons why code injection is useful. An attacker may use code injection, for example, to:

  1. Bypass process level restrictions: Many security products employ a white list of trusted processes. If the attacker is able to inject malicious code into one of those trusted processes, the security product can easily be bypassed.
  2. Access to context-specific data. Some data is only accessible to certain processes, while inaccessible to others. For example:
    1. Taking screenshots. A process that takes a screenshot of the user's screen, must run within the context of the user's desktop. However, more often than not malware will be loaded into the services desktop, not the user’s, preventing the malware from taking a screenshot of the user's desktop. Using code injection, a malware can inject code into a process that’s already running in the user's desktop, take a picture and send it back to the malware in the services desktop.
    2. Performing Man in the Browser (MitB) attacks. By injecting code into a web browser an attacker can modify the content shown to the user. For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via confirmation screens. However, the attacker modifies the data so that the bank receives false transaction information in favor of the attacker, i.e. a different destination account number and possibly amount. In a MitB attack, the customers are unaware of the money being funneled out of their account until it’s too late.
    3. Accessing encrypted passwords. Google Chrome encrypts the user's stored passwords by using Windows Data Protection API (DPAPI). This API uses data derived from the current user to encrypt/decrypt the data and access the passwords. In this scenario, a malware that is not running in the context of the user will not be able to access the passwords. However, if the malware injects code into a process that's already running in the context of the current user, the plain-text passwords can be easily accessed."

Behind the Scenes of AtomBombing
"The underlying Windows mechanism which AtomBombing exploits is called atom tables. These tables are provided by the operating system to allow applications to store and access data. These atom tables can also be used to share data between applications.

What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.

For the technology deep dive, please the researcher’s post here: https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows/
"

Code Injections in the Past
"Currently there are just a handful of known code injection techniques. A list of several of these can be found here: http://resources.infosecinstitute.com/code-injection-techniques/

Additionally, last summer our research team found a new code injection technique called PowerLoaderEx. PowerLoaderEx enables an attacker to inject code without needing to actually write code or data to the injected process.

Once a code injection technique is well-known, security products focused on preventing attackers from compromising the endpoints (such as anti-virus and host intrusion prevention systems), typically update their signatures accordingly. So once the injection is known, it can be detected and mitigated by the security products.

Being a new code injection technique, AtomBombing bypasses AV, NGAV and other endpoint infiltration prevention solutions.
"

Mitigation
"AtomBombing is performed just by using the underlying Windows mechanisms. There is no need to exploit operating system bugs or vulnerabilities.

Since the issue cannot be fixed, there is no notion of a patch for this. Thus, the direct mitigation answer would be to tech-dive into the API calls and monitor those for malicious activity.

It’s important though at this point to take a step back. AtomBombing is one more technique in the attacker’s toolbox. Threat actors will continuously take out a tool – used or new - to ensure that they bypass anti-infiltration technologies (such as AV, NGAV, HIPS, etc).

Obviously we need to find a different way to deal with threat actors. Under the assumption that threat actors will always exploit known and unknown techniques, we need to build our defenses in a way that prevents the consequences of the attack once the threat actor has already compromised the environment.
"

http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions

About Atom Tables:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms649053(v=vs.85).aspx?f=255&MSPPError=-2147217396
 
Last edited:

FreedomEclipse

~Technological Technocrat~
Joined
Apr 20, 2007
Messages
21,834 (4.14/day)
Location
London,UK
System Name Codename: Icarus Mk.VI
Processor Intel 8600k@4.8Ghz
Motherboard Asus ROG Strixx Z370-F
Cooling CPU: BeQuiet! Dark Rock Pro 4 {1xCorsair ML120 Pro|5xML140 Pro}
Memory 32GB XPG Gammix D10 {2x16GB}
Video Card(s) Gigabyte 1080Ti Gaming OC|Accelero Xtreme IV
Storage Samsung 970Evo 512GB SSD (Boot)|WD Blue 1TB SSD|2x 3TB Toshiba DT01ACA300
Display(s) Asus PB278Q 27"
Case Corsair 760T (White)
Audio Device(s) Yamaha RX-V573|Speakers: JBL Control One|Auna 300-CN|Wharfedale Diamond SW150
Power Supply Corsair AX760
Mouse Logitech G900/G502
Keyboard Duckyshine Dead LED(s) III
Software Windows 10 Pro
Benchmark Scores (ノಠ益ಠ)ノ彡┻━┻
Im sure Japan would like to establish a quick defense against this
 
Joined
Sep 10, 2016
Messages
737 (0.40/day)
Location
Riverwood, Skyrim
System Name Storm Wrought | Blackwood (HTPC)
Processor AMD Ryzen 7 3700x @stock ~4.25GHz boost speed | i7 2600k
Motherboard Gigabyte X570 Aorus Pro WIFI m-ITX | Some POS gigabyte board
Cooling BQ Dark Rock Slim, BQ shadow wings 3 High Spd, stock 180mm |BQ Shadow rock LP + 4x120mm Noctua redux
Memory G.Skill Trident 2x8GB 3600MHz 14-15-16-30 | 2x4GB 2000MHz @1866
Video Card(s) Gigabyte GTX 1080ti Aorus Xtreme Edition | MSI LP GT 1030
Storage SX8200 Pro 1TB, 850EVO 500GB, 2 & 8TB Seagate Barracuda, LG Blu-ray | 120GB Sandisk SSD, 4TB WD red
Display(s) Samsung UJ590UDE 32" UHD monitor | Sammy 1080p 55" TV
Case Silverstone TJ08B-E | Custom built wooden case (Aus native timbers)
Audio Device(s) Onboard, HD 599 cans | Logitech z163's
Power Supply Corsair RMx 550 | Corsair SF 450
Mouse GMMK w/ Zelio V2 62g (78g for spacebar) tactile switches & Glorious black keycaps| Some logitech one
Keyboard Rapoo v56 | Some logitech one
VR HMD HTC Vive
Software Win 10 Edu | Ubuntu 20.04
Benchmark Scores Look in the various benchmark threads
Absolutely lovely, all we need now is for someone to make it into a banking trojan and they could make so much money it isn't funny
 
Top