Researchers unearth MotW bypass technique used by threat actors for years
Threat actors have been abusing a bug in how Windows handles LNK files with non-standard target paths and internal structures to prevent in-built protections from stopping malicious payloads and trick users into running them.
“We identified multiple samples in VirusTotal that exhibit the bug, demonstrating existing in the wild usage. The oldest sample identified was submitted over 6 years ago,” Elastic Security Labs researchers found.
Windows’ in-built protections
Attackers are constantly coming up with new ways to bypass Microsoft’s defenses, including SmartScreen and Smart App Control (SAC) .
SmartScreen is an older security feature that aims to protect Windows users against potentially malicious webpages and files downloaded from the internet or restricted sites.
The former are checked against against a dynamic list of reported phishing sites and malicious software sites, while the latter have Mark of the Web (MotW) metadata added to them by default and SmartScreen checks them against an allowlist of well-known executables. If the file is not listed, SmartScreen will prevent the file from being executed and show a warning. Users can override the warnings and proceed, if enterprise admins haven’t set up a policy to prevent them from doing that.
Microsoft (Defender) SmartScreen checks files marked with MOTW against an allow list. If the file isn’t listed, SmartScreen alerts the user that the file is unknown and prevents it from executing unless the user insists on running it.
Similarly, the newer Smart App Control (SAC) checks apps that users want to run against a list of known safe apps. “[SAC] works by querying a Microsoft cloud service when applications are executed. If they are known to be safe, they are allowed to execute; however, if they are unknown, they will only be executed if they have a valid code signing signature. When SAC is enabled, it replaces and disables Defender SmartScreen,” the researchers explained.
LNK stomping = Simple MotW bypass
Attackers have been bypassing these protections by signing malware with valid code-signing certificates, by repurposing apps with a good reputation, or by finding ways to make binaries appear benign so they are added to the known safe app list.
This latest technique, which the researchers have named “LNK stomping”, allows attackers to bypass Mark-of-the-Web (MOTW) controls by crafting LNK (i.e., Windows shortcut) files so that they have non-standard target paths or internal structures.
Such a file forces Windows to canonicalize/”fix” the path/structure, thus “rewriting” the file and removing the MotW metadata. Without it, the SmartScreen and SAC consider the file safe and run it without a warning.
“The easiest demonstration of this issue is to append a dot or space to the target executable path (e.g., powershell.exe.). Alternatively, one can create an LNK file that contains a relative path such as .\target.exe,” they explained. “Yet another variant involves crafting a multi-level path in a single entry of the LNK’s target path array.”
The researchers have disclosed details of the bug to the Microsoft Security Response Center, who apparently said that it may be fixed in a future Windows update.
In the meantime, though, they urge security teams to “scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area.”