A significant security vulnerability has been uncovered in Windows Smart App Control and SmartScreen, with roots tracing back to at least 2018. This flaw poses a serious risk, as it enables attackers to execute malicious programs on devices without triggering the usual alerts associated with the Mark of the Web (MotW) files, according to experts from Elastic Security Labs.
Exploitation Mechanism
The exploitation revolves around the creation of LNK files that feature modified target paths or internal structures. When these files are opened, Windows Explorer automatically reformats them, a process that inadvertently removes the MotW tag. This reformatting is deceptively simple; a mere space or dot in the target path is sufficient for Windows Explorer to update the file, thus eliminating the security alert typically generated by Smart App Control and SmartScreen.
Interestingly, the flaw has been in active use for several years, with the earliest recorded instance on VirusTotal dating back at least six years. This indicates a long-standing vulnerability that has gone largely unnoticed until now.
Additional Bypass Techniques
Elastic Security Labs has identified further methods that attackers can employ to circumvent the security controls of Smart App Control and SmartScreen. One such method involves the use of code-signing or Extended Validation (EV) signing certificates, which can be utilized to sign malicious payloads that evade detection. Furthermore, attackers may exploit applications that already possess a good reputation, allowing them to slip past security checks unnoticed.
Another tactic includes deploying malicious applications that only activate security checks under specific conditions, thereby reducing the likelihood of detection during initial access.
Recommendations for Security Teams
In light of these findings, Elastic Security Labs emphasizes the need for security teams to conduct thorough scrutiny of downloads within their detection frameworks. They caution against relying solely on the built-in security features of the operating system for comprehensive protection. To assist defenders in identifying this activity until an official patch is released, Elastic Security Labs is providing detection logic and countermeasures.