Share This:

Cybersecurity Threat Advisory

A design flaw within Windows Smart App Control (SAC) and SmartScreen has allowed attackers to launch programs without triggering a security warning. Review this Cybersecurity Threat Advisory to find out how to prevent attackers from exploiting this flaw and keep your systems safe.

What is the threat?

Several design flaws were found in SAC and SmartScreen which allows threat actors access to victims’ environments without warnings. Most notable is a method called LNK stomping. Attackers can create LNK files with non-standard target paths which when the victim clicks on the path, it will cause explorer.exe to automatically modify the LNK file using correct formatting. This incidentally also removes the Mark of The Web (MOTW) which Windows uses to trigger SAC and SmartScreen.

Why is it noteworthy?

SAC and SmartScreen where introduced by Microsoft to protect Windows devices from malicious, untrusted apps from being run on the system. Noting as far back as far back as 2018, attackers have abused this weakness in the wild for years.

What is the exposure or risk?

Below are some of the methods attackers have used to bypass SAC and SmartScan:

  • Signed malware: Attackers can set up a business and obtain an Extended Validation (EV) certificate to sign their malware which completely bypasses SAC and SmartScreen. Alternatively, they can impersonate legitimate businesses to steal certificates and sign their programs.
  • Reputation hijacking: A technique in which known-good programs are used to load and execute malicious scripts. This can be programs such as Lua, Noje.js, and AutoHotKey interpreters.
  • Reputation seeding: Seeding attacker-controlled binaries into the system and giving enough time for the binaries to become trusted by SAC and SmartScreen. Once trusted, they will stop creating a flag and can be used for more malicious purposes.
  • Reputation tampering: Modifying a binary to include malicious code. SAC assigns a reputation to binaries and allows users to modify them slightly while still maintaining trust. Through trial and error, attackers can modify a binary to contain malicious code while still maintaining a trusted or benign reputation with SAC.

What are the recommendations?

Barracuda MSP recommends the following actions to minimize your risks:

  • Create a block list of known applications that can be used for reputation hijacking, as well as code execution.
  • Add behavioral detections to provide a more robust security approach. Next generation endpoint detection and response tools such as Barracuda XDR Managed Endpoint Security combines behavioral detection with a 24/7 security operations center (SOC) to provide optimal protection.
  • Educate users to pay special attention to explorer.exe overwriting an LNK file

References:

For more in-depth information on the above recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.


Share This:
Devyn Souza

Posted by Devyn Souza

Devyn is a Cybersecurity Analyst at Barracuda. He's a security expert, working on our Blue Team within our Security Operations Center. Devyn supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *