Windows 0-day (Mark of the Web) used for ransomware attacks via JavaScript

Windows[English]The days I had reported about an unfixed 0-day vulnerability, Mark of th e Web (MOTOW), in Windows for which there is an unofficial fix. Now a report has come to my attention that a 0-day vulnerability in this area can be exploited by cybercriminals via JavaScript to bypass web security alerts and disguise ransomware attacks. The background is that a bug in Windows 10 prevents Windows' SmartScreen filter from kicking in when an invalid digital signature is present.


What is MOTW about?

Windows can display a security warning before opening and launching an executable file downloaded from the Internet. This only works for files that have the Mark of the Web (MOTW) flag set. The Smart App Control feature, for example, evaluates this flag and is intended to provide better protection against new and emerging threats in Windows 11 by blocking malicious or untrusted apps. Smart App Control is also meant to help block potentially unwanted apps. These are apps that can cause your device to run slowly, display unexpected ads, offer additional software that is not wanted by the user. Microsoft Office also blocks macros in documents with MOTW (source). 

Bug prevents setting the MOTW flag

Attackers therefore try to avoid marking their malicious files with MOTW. A bug in Windows allows attackers to create a ZIP archive in such a way that extracted malicious files are not marked with MOTW. Security researcher Will Dormann discovered this vulnerability in Windows in May 2022. 

ZIP MotW vulnerability

This vulnerability allows an attacker to prevent Windows from setting the "Mark of the Web" mark for files extracted from a ZIP archive. This is true even if the ZIP archive comes from an untrusted source such as the Internet, an email, or a USB stick. This renders Microsoft's nice security solutions ineffective.

Will informed Microsoft about this problem in July, but an official solution has not been provided yet. In the meantime, the vulnerability is apparently being exploited in the wild. So far, however, there is no patch and not even a CVE identifier for it. However, in the blog post Windows: 0Patch Micropatch for MOTOW ZIP file bug (0-day, no CVE) I had reported that ACROS Security for Windows provides a free micropatch to block the exploitability of the vulnerability. 


New attack on 0-day via JavaScript

But there seems to be another bug in Windows that prevents it from warning about files from the Internet even when the Mark of the Web flag is set. Colleagues at Bleeping Computer addressed the issue in this article, pointing out the possibility that threat actors can exploit the vulnerability via JavaScript files to bypass mark-of-the-Web security warnings. The HP Threat Intelligence Team recently reported that threat actors are infecting systems with Magniber ransomware via JavaScript files (JS files). The JS files in question are even digitally signed with an embedded base64-encoded signature block (a Microsoft support article describes this). 

MotW bypassing per JS file

Will Dormann analyzed one such example and made an unattractive find. The Authenticode signature was both invalid and intended for other content. Nevertheless, on Windows 10, neither SmartScreen nor other mechanisms displayed warnings before the JS file was executed. In the cases analyzed, the MotW was even present. Dormann describes his findings in a series of tweets – and the colleagues from Bleeping Computer have put the whole thing together in their article

The crux: If a signature is corrupted, Windows no longer checks the file via SmartScreen. It is as if there is no MoTW flag. The file is simply executed without warning – this even works via .exe file. "Files that have a MotW are treated as if no MotW is present if the signature is corrupted. What difference that makes in practice depends on what type of file it is," Dormann explained to Bleeping Computer colleagues.

Speaking to Bleeping Computer, Dormann stated that he believes this bug was only introduced with the release of Windows 10, as a fully patched Windows 8.1 device displays the MoTW security warning as expected. The case once again exemplifies how all the nice security features Microsoft includes in its products are of no use if attackers can bypass them via bugs.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *