Hackers often target Window Smart App Control and SmartScreen security flaws to launch malicious code and applications for their illicit purposes.
Threat actors aiming to undermine Windows security features can use these vulnerabilities to seize illicit access, steal sensitive data, and compromise system integrity.
Cybersecurity researchers at Elastic Security Labs discovered Windows Smart App Control and SmartScreen vulnerabilities let hackers hijack systems.
Windows Smart App Control Vulnerability
Microsoft’s Windows security features, SmartScreen and Smart App Control (SAC) are meant to shield users against malicious software.
Windows 8 uses the Mark of the Web, which introduced SmartScreen, while Windows 11 launches SAC, which checks with cloud services to ensure an app’s safety.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
As a result, these measures have not stopped attackers who have developed sophisticated bypass methodologies.
Some of these techniques include malware code-signing using certificates obtained through deceitful means or reputation hijacking by infiltrating trusted applications to execute malicious codes.
The Elastic Labs report states that these vulnerabilities demonstrate the unending battle between security developers and threat actors, highlighting the need for constant improvement in defensive strategies.
Attackers have designed sophisticated methods to overcome reputation-based security systems like Microsoft’s Smart App Control (SAC) and SmartScreen.
LNK file bypassing MotW restrictions under Smart App Control (Source – Elastic)
These techniques involve the following:–
Seeding: Attackers trick people into activating malware through harmless-appearing binaries, which enables the binary to seed malicious code. These binaries may seem innocuous and have good behavior, but they have hidden threats that will be activated after a certain trigger or period. SAC is vulnerable to this type of attack, particularly when basic anti-emulation techniques are used.
Reputation tampering: It is amazing that, in some cases, changing files does not affect their reputation on SAC. Unclear hashing or ML-based similarity comparison and not strict cryptographic hash function might be used by SAC. The trusted status can be retained even though various sections of codes are tampered with by the hackers.
Mark of the Web (MotW) bypasses: A significant vulnerability refers to creating LNK files formatted in special ways. Windows Explorer processes these files in a manner that removes the MotW label before any security checks occur. Such ways include adding characters at the end of an executable path or using relative paths for LNK files.
These attack vectors were actually seen in malware samples from the real world, with some techniques that bypass MotW dating back six years.
The continuing existence and change of these processes highlight the ongoing difficulties in cybersecurity, which necessitate regular enhancements and improvements in defensive strategies to combat increasingly sophisticated challenges.
Due to their polymorphic nature, reputation-hijacking attacks are difficult to detect. Blocking known abused applications is a good starting point, but it is typically reactive.
More effective mechanisms will involve developing behavioral signatures for abused software categories and monitoring downloaded files, particularly those found in non-standard locations.
Attention must be paid to LNK file alterations by explorer.exe, which could suggest MotW bypasses. In the end, robust behavioral monitoring for typical attack techniques continues to be important, as reputation-based defenses alone cannot protect against advanced threats.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide