Threat actors have been exploiting a vulnerability in the way Windows processes LNK files, particularly those with unconventional target paths and internal structures. This exploitation allows malicious payloads to bypass built-in security measures, effectively deceiving users into executing harmful files.
Researchers from Elastic Security Labs have uncovered numerous samples on VirusTotal that demonstrate this vulnerability’s active use, with the earliest identified instance dating back over six years. This highlights a persistent issue that has been lurking in the shadows of cybersecurity.
Windows’ In-Built Protections
Attackers are continually devising innovative strategies to circumvent Microsoft’s protective measures, including SmartScreen and Smart App Control (SAC). SmartScreen, a longstanding security feature, is designed to shield Windows users from potentially harmful webpages and files downloaded from the internet or restricted sites. It operates by cross-referencing files against a dynamic list of reported phishing and malicious software sites.
Files that are flagged with Mark of the Web (MotW) metadata are subjected to additional scrutiny. SmartScreen checks these against an allowlist of recognized executables. If a file is not included in this list, SmartScreen intervenes, preventing execution and issuing a warning. Users may choose to override this caution unless enterprise administrators have implemented policies to restrict such actions.
Similarly, Smart App Control enhances security by verifying applications against a database of known safe apps. As explained by the researchers, “SAC works by querying a Microsoft cloud service when applications are executed. If they are known to be safe, they are allowed to execute; however, if they are unknown, they will only be executed if they have a valid code signing signature.” When SAC is enabled, it effectively replaces and disables Defender SmartScreen.
LNK Stomping = Simple MotW Bypass
In a bid to bypass these protective measures, attackers have resorted to signing malware with legitimate code-signing certificates, repurposing reputable applications, or manipulating binaries to appear harmless enough to be included on the known safe app list. The latest technique identified by researchers, termed “LNK stomping,” enables attackers to circumvent Mark-of-the-Web (MOTW) controls by crafting LNK (Windows shortcut) files with non-standard target paths or internal structures.
This manipulation compels Windows to canonicalize or “fix” the path or structure of the file, effectively erasing the MotW metadata. In the absence of this metadata, both SmartScreen and SAC mistakenly classify the file as safe, allowing it to execute without any warning.
Researchers illustrated this vulnerability with simple examples: appending a dot or space to the target executable path (e.g., powershell.exe.) or creating an LNK file with a relative path such as .target.exe. Another variant involves crafting a multi-level path within a single entry of the LNK’s target path array.
Details regarding this bug have been disclosed to the Microsoft Security Response Center, which has indicated that a fix may be forthcoming in a future Windows update. In the interim, researchers advise security teams to meticulously scrutinize downloads within their detection frameworks, emphasizing that reliance solely on OS-native security features is insufficient for robust protection in this domain.