New Windows code injection method could let malware bypass detection
Security researchers have discovered a new way that allows malware to inject malicious code into other processes without being detected by antivirus programs and other endpoint security systems.
The new method was devised by researchers from security firm Ensilo who dubbed it AtomBombing because it relies on the Windows atom tables mechanism. These special tables are provided by the operating system and can be used to share data between applications.
“What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table,” Ensilo researcher Tal Liberman said in a blog post. “We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”