Key Takeaways:
- Security researchers have identified design flaws in Windows Smart App Control and SmartScreen.
- These vulnerabilities allow threat actors to bypass security warnings and run malicious apps on Windows devices.
- The study underscores the necessity for organizations to implement enhanced security measures to block malware attacks.
Cybersecurity researchers have uncovered critical design flaws in Windows Smart App Control and SmartScreen. These vulnerabilities could potentially allow cybercriminals to run malicious apps without triggering security warnings on Windows devices.
A new research study by Elastic Security Labs reveals that cybercriminals have devised several methods to bypass built-in protection mechanisms like Windows SmartScreen and Smart App Control (SAC). These methods include using digitally signed malware tools, reputation hijacking, reputation tampering, and specially crafted LNK files.
Windows SmartScreen is a security feature that helps to protect users against phishing websites and downloads. It uses a reputation-based protection mechanism to evaluate the safety of applications and files. Windows SmartScreen is also integrated into the Microsoft Edge web browser.
In Windows 11, Microsoft introduced Windows Smart App Control to block potentially unwanted or malicious applications. This feature uses Microsoft’s intelligent cloud-powered security to assess whether an app is safe to run. If threat intelligence cannot make a clear determination, Windows Smart App Control relies on signature verification to evaluate the app’s trustworthiness.
Specifically, security researchers have identified a vulnerability in how Windows handles shortcut files (LNK). Windows tags all files downloaded from the internet with a digital marker called the Mark of the Web (MoTW). The Windows SmartScreen feature only scans files with this tag, and Smart App Control completely blocks certain file types marked with MoTW.
The security researchers managed to manipulate the MotW flag by crafting LNK files with non-standard target paths or internal structures. “When clicked, these LNK files are modified by explorer.exe with the canonical formatting. This modification leads to removal of the MotW label before security checks are performed,” Elastic Security researcher Joe Desimone explained.
Elastic Security Labs also highlighted several other tactics to bypass reputation-based protections. One such technique, reputation hijacking, involves exploiting the good reputation of trusted websites, applications, and other entities to conduct malicious activities. Researchers found that threat actors use trusted script hosts like Lua, Node.js, and AutoHotkey for these attacks.
Reputation seeding attacks involve placing a binary or executable file into the target system to build a positive reputation over time. Once established, this malicious file can be used for harmful activities. Lastly, reputation tampering attacks involve altering specific code sections of apps to make them appear safe. Researchers found that certain changes to a file do not affect the application’s reputation.
Elastic Security Labs advises organizations to use robust behavior analysis tools to monitor common attack tactics, such as persistence, enumeration, in-memory evasion, credential access, and lateral movement. It’s also recommended that organizations should closely inspect all downloaded files rather than relying solely on OS-native security features.