MENU O C T O B E R 2 7, 2 0 1 6 B Y [T A L L I B E R M A N](http://blog.ensilo.com/author/tal-liberman) ## AtomBombing: A Code Injection that Bypasses Current Security Solutions [Tweet](https://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fblog.ensilo.com%2Fatombombing-a-code-injection-that-bypasses-current-security-solutions&ref_src=twsrc%5Etfw&text=AtomBombing%3A%20A%20Code%20Injection%20that%20Bypasses%20Current%20Security%20Solutions&tw_p=tweetbutton&url=http%3A%2F%2Fblog.ensilo.com%2Fatombombing-a-code-injection-that-bypasses-current-security-solutions) **[Share](javascript:void(0);)** **517** **Like** **Share** 525 45 Our research team has uncovered new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection. We named this technique AtomBombing based on the name of the underlying mechanism that this technique exploits. AtomBombing a�ects all Windows version. In particular, we tested this against Windows 10. Unfortunately, this issue cannot be patched since it doesn’t rely on broken or �awed code – rather on how these operating system mechanisms are designed. # Code Injection 101 The issue we revealed presents a way for threat actors to inject code. Attackers use code injection to add malicious code into legitimate processes, making it easier to bypass security products, hide from the user, and extract sensitive information that would otherwise be unattainable. For example, let’s say an attacker was able to persuade a user to run a malicious executable, evil.exe. Any kind of decent application level �rewall installed on the computer would block that executable’s communication. To overcome this issue, evil.exe would have to �nd a way to manipulate a legitimate program, such as a web browser, so that the legitimate program would carry out communication on behalf of evil.exe. This manipulation technique is known as code injection. # Code Injection: An Important Tool in the Attacker’s Toolbox There are quite a few reasons why code injection is useful. An attacker may use code injection, for example, to: 1. Bypass process level restrictions: Many security products employ a white list of trusted processes. If the tt k i bl t i j t li i d i t f th t t d th it d t ----- 2. Access to context-speci�c data. Some data is only accessible to certain processes, while inaccessible to others. For example: a. Taking screenshots. A process that takes a screenshot of the user's screen, must run within the context of the user's desktop. However, more often than not malware will be loaded into the services desktop, not the user’s, preventing the malware from taking a screenshot of the user's desktop. Using code injection, a malware can inject code into a process that’s already running in the user's desktop, take a picture and send it back to the malware in the services desktop. b. Performing Man in the Browser (MitB) attacks. By injecting code into a web browser an attacker can modify the content shown to the user. For example, in a banking transaction process, the customer will always be shown the exact payment information as the customer intended via con�rmation screens. However, the attacker modi�es the data so that the bank receives false transaction information in favor of the attacker, i.e. a di�erent destination account number and possibly amount. In a MitB attack, the customers are unaware of the money being funneled out of their account until it’s too late. c. Accessing encrypted passwords. Google Chrome encrypts the user's stored passwords by using Windows Data Protection API (DPAPI). This API uses data derived from the current user to encrypt/decrypt the data and access the passwords. In this scenario, a malware that is not running in the context of the user will not be able to access the passwords. However, if the malware injects code into a process that's already running in the context of the current user, the plain-text passwords can be easily accessed. # Behind the Scenes of AtomBombing The underlying Windows mechanism which AtomBombing exploits is called atom tables. These tables are provided by the operating system to allow applications to store and access data. These atom tables can also be used to share data between applications. What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code. For the technology deep dive, please the researcher’s post here: https://breakingmalware.com/injection techniques/atombombing-brand-new-code-injection-for-windows/ # Code Injections in the Past Currently there are just a handful of known code injection techniques. A list of several of these can be found [here: http://resources.infosecinstitute.com/code-injection-techniques/](http://resources.infosecinstitute.com/code-injection-techniques/) [Additionally, last summer our research team found a new code injection technique called PowerLoaderEx.](https://breakingmalware.com/injection-techniques/code-less-code-injections-and-0-day-techniques/) PowerLoaderEx enables an attacker to inject code without needing to actually write code or data to the injected process. Once a code injection technique is well-known, security products focused on preventing attackers from compromising the endpoints (such as anti-virus and host intrusion prevention systems), typically update their signatures accordingly. So once the injection is known, it can be detected and mitigated by the security products. Being a new code injection technique, AtomBombing bypasses AV, NGAV and other endpoint in�ltration prevention solutions. # Mitigation AtomBombing is performed just by using the underlying Windows mechanisms There is no need to exploit ----- would be to tech-dive into the API calls and monitor those for malicious activity. It’s important though at this point to take a step back. AtomBombing is one more technique in the attacker’s toolbox. Threat actors will continuously take out a tool – used or new - to ensure that they bypass anti in�ltration technologies (such as AV, NGAV, HIPS, etc). Obviously we need to �nd a di�erent way to deal with threat actors. Under the assumption that threat actors will always exploit known and unknown techniques, we need to build our defenses in a way that prevents the consequences of the attack once the threat actor has already compromised the environment. ## Learn how attackers appear legitimate in face of security tools by exploiting design vulnerabilities #### Download Now HEALTHCARE - A CYBERATTACK TARGET THAT’S ONLY GETTING BIGGER R E A D N E X T [THE ZERO-DOWNTIME ORGANIZATION](https://pages.ensilo.com/the-zero-downtime-organization?utm_source=trendemon&utm_medium=content&utm_campaign=flow) Cyber-Security in 120 S Brokers Free-for-All Loo POST TAGS [RESEARCH](http://blog.ensilo.com/topic/research) **Comments for this thread are now closed.** **×** ###### 18 Comments Ensilo Blog 1 Login  **Recommend** **4** ##### ⤤ Share Sort by Best **[MonkeyBoy](https://disqus.com/by/disqus_uJfgxgq7L2/)** - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973477116) ###### Got here from: http://thehackernews.com/2016/... A lot of hype from that site. #1 you say "For example, let’s say an attacker was able to persuade a user to run a malicious executable, evil.exe" Yea! Hello? If you get any "evil.exe" run on your system you're in trouble. Not by this technique alone, as the executable can install a number of components (rootkits) in userland and/or kernel space. That page goes on to hype it up more talking about "encryption" key hijacking, etc., which is not ----- **[Tal_Liberman](https://disqus.com/by/Tal_Liberman/)** [> MonkeyBoy](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973477116) - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973576890) ###### This technique can be used post infection to inject code from one process to another. For example, on a computer protected by modern security software a malicious executable such as evil.exe will not be able to communicate because it would be blocked by a firewall. It would need to inject code into a browser in order to communicate which will also be blocked by any standard AV. By using AtomBombing evil.exe can inject code into a web browser undetected by said AV and then have the web browser communicate on its behalf undetected by said firewall. 1 △ Share › **[Sebastian Cato](https://disqus.com/by/sebastiancato/)** [> Tal_Liberman](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973576890) - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2976227335) ###### Why not just use CreateRemoteThread or NtQueueApcThread calling something like LoadLibrary? Using atom tables just sounds like it would achieve the same goal with added hassle, and you wouldn't gain anything, since it still requires NtQueueApcThread, which AFAIK most AV hooks at runtime. It's been used for a while now, see e.g., [1] [1]: http://www.codeproject.com/Art... ###### △ ▽ Share › **[Tal_Liberman](https://disqus.com/by/Tal_Liberman/)** [> Sebastian Cato](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2976227335) - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2976424240) ###### Use CreateRemoteThread or NtQueueApcThread to call LoadLibrary and any AV will catch you. Use AtomBombing and you'll bypass most AV products. Some AVs do hook NtQueueApcThread but they'll only flag your malicious behavior if you use NtQueueApcThread to call LoadLibrary or some code that was allocated dynamically with VirtualAllocEx. Also if you use NtQueueApcThread to call LoadLibrary you must place a DLL file on the disk, which will be picked up by the AV and sent to its cloud service for reputation analysis. AtomBombing allows you to inject shellcode without having to touch the disk. 2 △ **Hacked_OFF** - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973215768) Share › ###### This explains how we have been able to be hacked for the last 18 months no matter what we do in terms of security features in Windows 10. This is actually a design feature inserted by Microsoft as a back door for the security services, as we have discovered. We strongly suspected this and now it have been proven. Bloody Hell !!!!, Microsoft software update policy is also designed to allow the security services to compromise updates... so watch out !!! 1 △ Share › **level1** [> Hacked_OFF](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973215768) - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2976670907) ###### Get the tin hats out... ###### △ ▽ Share › **[ExoticWaves](https://disqus.com/by/ExoticWaves/)** - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2974834461) ###### Is Mac OSX susceptible to this attack vector, "Atom bombing"??? ###### △ ▽ Share › **[Tal_Liberman](https://disqus.com/by/Tal_Liberman/)** [> ExoticWaves](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2974834461) - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2975814531) ###### No, AtomBombing only affects Windows. ###### △ ▽ Share › ----- **[Dylan Taylor](https://disqus.com/by/aliendude5300/)** - [ﻧﺯﺍﺭ](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973990224) ﺃﺑﻭ - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2974124462) ###### Linux is not affected by this, no. ###### △ ▽ Share › **[Cees Timmerman](https://disqus.com/by/CeesTimmerman/)** - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973356097) ###### Threat signatures are always outdated. Use signed hashes to ensure the integrity of your system's authorized software. ###### △ ▽ Share › **Robert** - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973255719) ###### Have you spoken to anyone at Microsoft about this (i.e. MSRC)? ###### △ ▽ Share › **[Tal_Liberman](https://disqus.com/by/Tal_Liberman/)** [> Robert](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973255719) - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973394667) ###### This code injection technique is not dependent on a vulnerability in Microsoft. Rather it leverages legitimate building blocks of Windows. 1 △ **bro** - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2972902514) Share › ###### So, how to apply this? AtomTable allows only Strings and Integers (based on MS documentation). So, only affected applications are apps that uses GlobalAtomTable in such a way that allows bypass some security principles (like storing code in form of string, or path to dll in form of string etc.). Still it sounds like a problem with applications not with Windows API. Apps should consider data coming from GlobalAtomTable as untrusted source. Can you name application that is vulnerable to this flow? ###### △ ▽ Share › **[Tal_Liberman](https://disqus.com/by/Tal_Liberman/)** [> bro](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2972902514) - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973057532) ###### I suggest you read the detailed write-up on our technical blog: http://breakingmalware.com/inj... ###### △ ▽ Share › **[Mitja Kolsek](https://disqus.com/by/mitjakolsek/)** - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2972850030) ###### Sounds like a very Interesting research, thank you for sharing it. I was hoping for more technical details but I guess you have reasons not to reveal them at this point. Nevertheless, I'm puzzled by your claim that "... the legitimate program, now containing the malicious code, can be manipulated to execute that code" in conjunction with "the issue cannot be fixed". Does this mean that telling an application to accept code from an atom table and execute it is a by-design documented feature? If so, it sounds like a gaping hole that Microsoft will have to close, but if not, then it sounds like you have found a way to trick it to do so (which also implies a need for a patch). I'll appreciate more information - thanks! ###### △ ▽ Share › **[Tal_Liberman](https://disqus.com/by/Tal_Liberman/)** [> Mitja Kolsek](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2972850030) - [4 months ago](http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions#comment-2973060369) ###### Hi Mitja, I believe the detailed write-up on our technical blog should answer all of your questions: http://breakingmalware.com/inj... ### Subscribe to enSilo's Blog and Stay on Top of the Latest Security Research and Industry News ----- SUBSCRIBE ### Recent Posts [RSA in 120 Secs: In Case You Missed Us at the Show...](http://blog.ensilo.com/in-case-you-missed-us-at-the-show) [Cyber-Security in 120 Secs: UPDATE - Cost of a Data Breach](http://blog.ensilo.com/cyber-security-in-120-secs-the-cost-of-a-breach) [Customer Advisory Warning: The Comeback of the Hancitor Campaign](http://blog.ensilo.com/customer-advisory-warning-the-comeback-of-the-hancitor-campaign) [Cyber-Security in 120 Secs: The Data Breach E�ect and The Cost](http://blog.ensilo.com/cyber-security-in-120-secs-the-data-breach-effect-and-the-cost) [Cyber-Security in 120 Secs: Cyber-Attacks on Banks](http://blog.ensilo.com/cyber-security-in-120-secs-cyber-attacks) [Cyber-Security in 120 Secs: Drafting a Cyber Security Executive Order](http://blog.ensilo.com/cyber-security-in-120-secs-drafting-cyber-security-executive-order) [Cyber-Security in 120 Secs: Compromise is Inevitable](http://blog.ensilo.com/cyber-security-in-120-secs-compromise-is-inevitable-0) [Cyber-Security in 120 Secs: The Shadow Brokers Free-for-All Loot](http://blog.ensilo.com/cyber-security-in-120-secs-the-shadow-brokers-free-for-all-loot) [WhatsApp With That: One Says Backdoor, the Other Says Feature](http://blog.ensilo.com/whatsapp-with-that-one-says-backdoor-the-other-says-feature) [Cyber-Security in 120 Secs: 'Mungous Ransomware on MongoDB](http://blog.ensilo.com/cyber-security-in-120-secs-mungous-ransomware-on-mongodb) ### Posts by Topic [Weekly Security News (68)](http://blog.ensilo.com/topic/weekly-security-news) [Industry (19)](http://blog.ensilo.com/topic/industry) [Research (16)](http://blog.ensilo.com/topic/research) [Business (9)](http://blog.ensilo.com/topic/business) ### Archive by Month [May 2016 (9)](http://blog.ensilo.com/archive/2016/05) [December 2016 (9)](http://blog.ensilo.com/archive/2016/12) [October 2015 (7)](http://blog.ensilo.com/archive/2015/10) [February 2016 (7)](http://blog.ensilo.com/archive/2016/02) [July 2016 (7)](http://blog.ensilo.com/archive/2016/07) [November 2016 (7)](http://blog.ensilo.com/archive/2016/11) [December 2015 (6)](http://blog.ensilo.com/archive/2015/12) [January 2016 (6)](http://blog.ensilo.com/archive/2016/01) [September 2016 (6)](http://blog.ensilo.com/archive/2016/09) [February 2017 (6)](http://blog.ensilo.com/archive/2017/02) [November 2015 (5)](http://blog.ensilo.com/archive/2015/11) [August 2016 (5)](http://blog.ensilo.com/archive/2016/08) see all ### Prevent threat actors from ex�ltrating your data. Schedule a demo -----