Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

BitLocker in the crosshairs: stealth attacks via COM hijacking. Online PoC

Redazione RHC : 15 September 2025 08:31

An innovative tool known as BitlockMove has been introduced, which highlights a novel lateral movement technique. This PoC leverages DCOM interfaces and COM hijacking, both of which are functional for BitLocker.

Released by security researcher Fabian Mosch of r-tec Cyber Security, the tool allows attackers to execute code on remote systems within the session of an already logged-in user, avoiding the need to steal credentials or impersonate accounts.

This technique is particularly subtle because the malicious code executes directly in the context of the target user, generating fewer indicators of compromise than traditional methods such as credential theft from LSASS.

CALL FOR SPONSOR - Sponsorizza l'ottavo episodio della serie Betti-RHC

Sei un'azienda innovativa, che crede nella diffusione di concetti attraverso metodi "non convenzionali"? 
Conosci il nostro corso sul cybersecurity awareness a fumetti? 
Red Hot Cyber sta ricercando un nuovo sponsor per una nuova puntata del fumetto Betti-RHC mentre il team è impegnato a realizzare 3 nuovi episodi che ci sono stati commissionati. 
Contattaci tramite WhatsApp al numero 375 593 1011 per richiedere ulteriori informazioni oppure alla casella di posta [email protected]



Supporta RHC attraverso:
  1. L'acquisto del fumetto sul Cybersecurity Awareness
  2. Ascoltando i nostri Podcast
  3. Seguendo RHC su WhatsApp
  4. Seguendo RHC su Telegram
  5. Scarica gratuitamente "Dark Mirror", il report sul ransomware di Dark Lab

Se ti piacciono le novità e gli articoli riportati su di Red Hot Cyber, iscriviti immediatamente alla newsletter settimanale per non perdere nessun articolo. La newsletter generalmente viene inviata ai nostri lettori ad inizio settimana, indicativamente di lunedì.
 

The PoC specifically targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94), which can launch several processes. One of these, BaaUpdate.exe, is vulnerable to COM hijacking if launched with specific parameters. The tool, written in C#, operates in two distinct modes: enumeration and attack.

  • Enum Mode: An attacker can use this mode to identify active user sessions on a target host. This allows the threat actor to select a highly privileged user, such as a domain administrator, for the attack.
  • Attack Mode: In this mode, the tool executes the attack. The attacker specifies the target host, the username of the active session, a path to delete the malicious DLL, and the command to execute. The tool then executes the remote COM hijacker, activates the payload, and cleans up by removing the hijacker from the registry and deleting the DLL.

By monitoring specific behavior patterns, defenders are able to detect this technique. Key indicators include remote COM CLSID hijacking associated with BitLocker, which aims to load a newly created DLL from the compromised location via BaaUpdate.exe.

Suspicious child processes spawned by BaaUpdate.exe or BdeUISrv.exe are obvious indicators of a possible attack. Its use for legitimate purposes is rare, so security experts can conduct specific searches for the BdeUISrv.exe process to detect its potential malicious nature.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli