top of page

New Use of Windows Security Bypass for Malware Delivery

Researchers have found that a new phishing attack is able to take advantage of a Windows zero-day flaw to deliver malware—all without ever displaying “Mark of the Web” warnings that are meant to flag suspicious files in Windows.

The Mark of the Web (MoTW) is a special attribute that Windows adds to files when they are downloaded from an untrusted remote location like the public Internet or via an email attachment. It is meant to be an alternate data tag that records file information such as the URL security zone from which the file originates, and its download source URL plus the referrer.

This is used by Windows to trigger a warning when a user tries to open files with MoTW attributes. Windows displays security warnings, encouraging users to make sure they really want to open the file. The Windows warning explains:

"While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software."

Windows Mark of the Web security warning

The HP threat intelligence team reported last month that a phishing attack was spreading the Magniber ransomware via JavaScript files, which are standalone files with the '.JS' extension, and which are executed through the Windows Script Host (wscript.exe) rather than in a browser. Analysis of the files revealed that the threat actors were using a new Windows zero-day vulnerability to disable Mark of the Web security warnings.

This Microsoft support article explains how files could be signed using an embedded base64 encoded signature block to exploit this vulnerability.

In this way, a malicious file with such a malformed signatures will not be flagged by Microsoft SmartScreen and Windows will automatically allow the program to run without showing the MoTW security warning.

Microsoft first became aware of this zero-day vulnerability in October. With malware campaigns actively exploiting it this is hopefully going to pressure Microsoft to finally remediate the vulnerability in the December 2022 Patch Tuesday security updates.

The experts at Webcheck Security can assist your organization in identifying weaknesses in your security defenses, both through penetration testing and through analysis by consulting Chief Information Security Officers (CISOs). Contact us today to explore your options!

13 views0 comments


bottom of page