Exploited Windows “Mark-of-the-Web” Zero-Day
〽️

Exploited Windows “Mark-of-the-Web” Zero-Day

📅 [ Archival Date ]
Nov 1, 2022 10:26 AM
🏷️ [ Tags ]
MoTWWindows
✍️ [ Author ]

An update was added to the end of the article explaining that any Authenticode-signed file, including executables, can be modified to bypass warnings.

A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.

Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.

The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called 'Zone.Identifier,' which can be viewed using the 'dir /R' command and opened directly in Notepad, as shown below.

image

The Mark-of-the-Web alternate data stream Source: BleepingComputer

This 'Zone.Identifier' alternate data stream includes what URL security zone the file is from (three equals the Internet), the referrer, and the URL to the file.

When a user attempts to open a file with the Mark-of-the-Web flag, Windows will display a warning that the file should be treated with caution.

"While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software," reads the warning from Windows.

image

Windows security warning when opening files with MoTW flags Source: BleepingComputer

Microsoft Office also utilizes the MoTW flag to determine if the file should be opened in Protected View, causing macros to be disabled.

Windows MoTW bypass zero-day flaw

The HP threat intelligence team recently reported that threat actors are infecting devices with Magniber ransomware using JavaScript files.

To be clear, we are not talking about JavaScript files commonly used on almost all websites, but .JS files distributed by threat actors as attachments or downloads that can run outside of a web browser.

The JavaScript files seen distributed by the Magniber threat actors are digitally signed using an embedded base64 encoded signature block as described in this Microsoft support article.

image

JavaScript file used to install the Magniber Ransomware Source: BleepingComputer

After being analyzed by Will Dormann, a senior vulnerability analyst at ANALYGENCE, he discovered that the attackers signed these files with a malformed key.

image

Malformed signature in malicious JavaScript file Source: BleepingComputer

When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware.

Dormann further tested the use of this malformed signature in JavaScript files and was able to create proof-of-concept JavaScript files that would bypass the MoTW warning.

Both of these JavaScript (.JS) files were shared with BleepingComputer, and as you can see below, they both received a Mark-of-the-Web, as indicated by the red boxes, when downloaded from a website.

image

Mark-of-the-Web on Dormann's PoC exploits Source: BleepingComputer

The difference between the two files is that one is signed using the same malformed key from the Magniber files, and the other contains no signature at all.

image

Dormann's PoC Exploits Source: BleepingComputer

When the unsigned file is opened in Windows 10, a MoTW security warning is properly displayed.

However, when double-clicking the 'calc-othersig.js,' which is signed with a malformed key, Windows does not display a security warning and simply executes the JavaSript code, as demonstrated below.

image

Demonstration of the Windows zero-day bypassing security warnings Source: BleepingComputer

Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.

BleepingComputer was able to reproduce the bug in Windows 10. However, for Windows 11, the bug would only trigger when running the JS file directly from an archive.

Dormann told BleepingComputer that he believes this bug was first introduced with the release of Windows 10, as a fully patched Windows 8.1 device displays the MoTW security warning as expected.

image

According to Dormann, the bug stems from Windows 10's new 'Check apps and files' SmartScreen feature under Windows Security > App & Browser Control > Reputation-based protection settings.

"This issue is in the new-as-of-Win10 SmartScreen feature. And disabling "Check apps and files" reverts Windows to the legacy behavior, where MotW prompts are unrelated to Authenticode signatures," Dormann told BleepingComputer.

"So that whole setting is unfortunately currently a tradeoff. On one hand, it does scan for baddies that are downloaded."

"On the other, baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled."

The zero-day vulnerability is particularly concerning as we know threat actors are actively exploiting it in ransomware attacks.

Dormann shared the proof-of-concept with Microsoft, who said they could not reproduce the MoTW security warning bypass.

However, Microsoft told BleepingComputer that they are aware of the reported issue and are investigating it.

Update 10/22/22

After the publication of this article, Dormann told BleepingComputer that threat actors could modify any Authenticode-signed file, including executables (.EXE), to bypass the MoTW security warnings.

To do this, Dormann says that a signed executable can be modified using a hex editor to change some of the bytes in the signature portion of the file and thus corrupt the signature.

image

Once the signature is corrupted, Windows will not check the file using SmartScreen, as if a MoTW flag was not present, and allow it to run.

"Files that have a MotW are treated as if there were no MotW if the signature is corrupt. What real-world difference that makes depends on what type of file it is," explained Dormann.