Hackers Exploit COM Objects for Stealthy Fileless Malware Attacks

Listen to this Post

A New Threat in Cybersecurity

Cybersecurity researchers have recently discovered an advanced hacking technique that allows cybercriminals to execute malware without leaving any files on a system. This stealthy attack leverages the Component Object Model (COM) and Distributed COM (DCOM) remoting technology, enabling attackers to run malicious .NET code on remote servers without traditional file-based indicators.

This method builds upon previous research by James Forshaw of Google Project Zero, who demonstrated how COM objects could be manipulated for privilege escalation and bypassing security mechanisms such as Protected Process Light (PPL) protections. The new attack method takes Forshaw’s research a step further, using trapped COM objects to enable fileless lateral movement across a network.

Exploiting COM Vulnerabilities

COM has been a fundamental part of Windows development since the 1990s, providing a framework for different programming languages to communicate efficiently. DCOM, an extension of COM, enables remote communication between systems. Hackers have exploited vulnerabilities within this system to launch fileless attacks.

A key target in this new attack vector is the WaaSRemediation COM class, part of the WaaSMedicSvc service. This service operates under NT AUTHORITY\SYSTEM, a privileged system account, making it a valuable target for attackers.

By manipulating the IDispatch interface and hijacking the StdFont object, attackers can execute .NET code through DCOM reflection. Cybersecurity experts Dylan Tran and Jimmy Bayne have demonstrated a proof-of-concept technique showing how registry key manipulations can be used to hijack the StdFont object, allowing malware to execute stealthily without writing files to disk.

This technique relies on modifying specific Windows registry values, including:

– AllowDCOMReflection

– OnlyUseLatestCLR

These changes facilitate the execution of arbitrary .NET methods through the COM server, making detection extremely difficult.

Challenges and Defensive Measures

While this attack method is highly sophisticated and effective for fileless malware deployment, it comes with certain operational challenges for hackers. The biggest limitation is that the attack is tied to the application lifetime of the initial execution binary, meaning persistence is not guaranteed.

Detection and Mitigation Strategies

Security experts suggest several measures to detect and prevent such attacks:
– Monitoring for CLR load events in svchost.exe processes
– Tracking registry modifications related to COM object hijacking

– Observing DACL (Discretionary Access Control List) changes

– Restricting DCOM ephemeral ports using host-based firewalls

  • Utilizing YARA rules to detect suspicious .NET execution patterns

Despite these countermeasures, this attack highlights the growing sophistication of fileless malware and the continuous need for improved cybersecurity strategies to combat evolving threats.

What Undercode Say:

The discovery of this attack method highlights how legacy Windows features like COM and DCOM are being re-engineered for cybercriminal purposes. Let’s break down the implications of this new malware technique:

Pros of the Attack from a

✔ Stealth and Evasion: Since this is a fileless attack, it bypasses traditional antivirus and endpoint detection tools that rely on file-based scanning.
✔ Remote Execution: The use of DCOM enables attackers to execute code on remote servers without transferring files, reducing their footprint.
✔ Leveraging Existing Windows Components: Hackers don’t need to create or introduce new malware binaries—they weaponize existing COM objects that are already part of the Windows system.
✔ Bypassing Security Controls: The method enables bypassing PPL protections and executing malicious code with high privileges.

Cons and Limitations for Attackers

❌ Persistence Issues: The attack is tied to the execution of a specific binary, meaning it does not survive a system reboot unless additional persistence techniques are used.
❌ Detection via Behavior Analytics: While fileless malware is difficult to detect, behavior-based security monitoring tools can still identify suspicious registry changes or abnormal COM activity.
❌ Mitigation via Windows Updates: If Microsoft patches the vulnerabilities in WaaSRemediation and COM object reflection, this attack vector could become obsolete.
❌ Complexity of Execution: This is not an easy attack to perform—it requires a deep understanding of COM internals, .NET reflection, and Windows registry manipulations.

What It Means for Cybersecurity

The use of COM hijacking in fileless malware attacks reinforces the need for more advanced detection techniques. Security teams should prioritize:

– Behavior-based anomaly detection over signature-based detection

– Continuous monitoring of COM object modifications

– Restricting unnecessary DCOM functionality in enterprise environments

As attackers evolve, so must defensive strategies—security professionals need to anticipate and respond to these sophisticated techniques before they become widespread threats.

Fact Checker Results:

1️⃣ The attack method is fileless, meaning traditional antivirus solutions that rely on file signatures are ineffective.
2️⃣ Microsoft has not yet released an official patch for this specific COM hijacking technique, but security teams can mitigate risks through behavioral monitoring.
3️⃣ This technique is highly advanced and currently requires significant expertise to execute, limiting its widespread adoption for now.

References:

Reported By: https://cyberpress.org/hackers-leverage-com-objects-for-stealthy/
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image