Security experts from ENSILO have devised a method, called AtomBombing, to inject malicious code in Windows operating system that could not be detected by modern anti-malware tools.
The Atom Tables are data structures used by the operating system to store strings with an identifier to access them, they could have a global or local scope.
“An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.” reads a description published by Microsoft on the Atom Tables.
“The system provides a number of atom tables. Each atom table serves a different purpose. For example, Dynamic Data Exchange (DDE) applications use the global atom table to share item-name and topic-name strings with other applications.”
The attackers can then write malicious code into an atom table and force a legitimate application to retrieve it from the table. Once the code is retrieved by the legitimate application, it is possible to manipulate it triggering the execution of the malicious code.
“Our research team has uncovered a new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection. We named this technique AtomBombing based on the name of the underlying mechanism that this technique exploits.” states the analysis published by ENSILO.
The researchers explained that the AtomBombing technique relies on tricking a user into running a malicious executable that could allow them to conduct several malicious activities including memory data snooping to grab passwords and other sensitive information.
The experts highlighted that the AtomBombing method doesn’t exploit a flaw in the OS code, instead, it relies on a certain mechanism implemented by the Windows OS.
“Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.”
(Security Affairs – AtomBombing , Windows hacking)