Contents:
A new Windows zero-day bug has been used by threat actors in ransomware attacks. The vulnerability allows threat actors to bypass Mark-of-the-Web security warnings through stand-alone JavaScript files.
Mark-of-the-Web (MoTW) is a security feature included by Windows, that flags files as having been downloaded from the Internet, and thus, should be treated with caution as they could be malicious. The MoTW flag is added as a special Alternate Data Stream to a downloaded file or email attachment called “Zone.Identifier”, which can be viewed using the “dir/R” command. The referrer, the URL to the file, and the URL security zone the file is from (three equals the Internet) are all included in this ‘Zone.Identifier’ alternate data stream.
MoTW Bypass Flaw Explained
This zero-day bug was discovered recently, when the HP threat intelligence team reported that threat actors are infecting devices with the Magniber ransomware by using JavaScript files. The .JS files are distributed by threat actors as attachments or downloads that can run outside of a web browser. The files are digitally signed by the attackers with a malformed key, using an embedded base64 encoded signature block.
When signed in this way, Microsoft would not show the security warning and the script would automatically run to install the Magniber ransomware even though the JS file was obtained from the Internet and received a MoTW flag.
As reported by BleepingComputer, by using this method threat actors could bypass the MoTW and introduce the malware into the victims’ computers. When accessed, the downloaded JS files would automatically execute the script. Will Doorman, a senior vulnerability analyst, believes that the bug was first introduced with the release of Windows 10 and it stems from the OS’s new “Check apps and files” SmartScreen, as a fully patched Windows 8.1 device would display the MoTW security warning.
Doorman reported that threat actors can modify any Authenticode-signed file to bypass security systems, which is concerning. Microsoft declared that they are aware of the issue and are working on remediating it.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.