Malware News Registry Keys Vulnerable with COM Hijacking

[vtqhtr413]

Content source

https://www.infosecurity-magazine.com/news/registry-keys-vulnerable-with-com/

Attackers are leveraging a new technique that allows them to run a specious file that looks legitimate but is actually malicious, according to the research team at Cyberbit. The component object model (COM) hijacking technique, usually used for attackers as a persistence mechanism, also has evasive capabilities. A proof-of-concept experiment run by the Cyberbit research team and detailed in today's blog post reveals that the team discovered that hundreds of registry keys were vulnerable to this attack. While most modern malware creators use code injection to disguise malicious behavior within benign activity, the idea with COM hijacking is to run code within the context of a legitimate, whitelisted process, like a web browser.

Researchers wrote that their findings were alarming. “Another troubling finding is the fact that adding these DLLs doesn’t even require a boot. Since most keys were affected immediately upon running the target process, some keys did not even require execution of the target process for a process which is already running such 'Explorer.exe.'” Using this technique, attackers are able to legally load and run the malware while evading detection, making it very easy for attackers to implement because it does not require sophisticated code injection. Yet it does have the privileges to perform sensitive actions, like connecting to the Internet, according to researchers.

Full article Registry Keys Vulnerable with COM Hijacking

 

[maka]

COM hijacking isn't new, in fact, it was recently possible to bypass AMSI via COM server hijacking (this issue was fixed).
Also with COM hijacking + scheduled tasks, malware writers can run malicious code at Windows startup.
If you like adrenaline Windows is your friend. If you want security any distro based on Debian is enough.