An update has been added to the end of the article explaining that any Authenticode signed file, including executables, can be modified to bypass warnings.
A new Windows zero-day allows hackers to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. We are already seeing threat actors using the zero-day bug in ransomware attacks.
Windows includes a security feature called Mark-of-the-Web (MoTW) which signals that a file has been downloaded from the Internet and therefore should be treated with caution as it could be malicious.
The MoTW indicator is added to a downloaded file or email attachment as a special alternate data stream called “Zone.Identifier”, which can be viewed using the “dir /R” command ” and opened directly in Notepad, as shown below.
![The alternative Mark-of-the-Web data feed](https://oponame.com/wp-content/uploads/2022/10/1666521465_956_Exploited-Windows-zero-day-allows-JavaScript-files-to-bypass-security-warnings.jpg)
Source: BleepingComputer
This alternate “Zone.Identifier” data stream includes the URL security zone the file originated from (three equals the Internet), the referrer, and the URL of the file.
When a user attempts to open a file with the Mark-of-the-Web flag, Windows displays a warning that the file should be treated with caution.
“While files from the Internet can be useful, this type of file can potentially harm your computer. If you do not trust the source, do not open this software,” reads the Windows warning.
![Windows security warning when opening files with MoTW flags](https://oponame.com/wp-content/uploads/2022/10/1666521465_251_Exploited-Windows-zero-day-allows-JavaScript-files-to-bypass-security-warnings.jpg)
Source: BleepingComputer
Microsoft Office also uses the MoTW flag to determine whether the file should be opened in Protected View, which causes macros to be disabled.
Windows MoTW bypasses zero-day flaw
The HP Threat Intelligence team recently reported that threat actors were infecting devices with Magniber ransomware using JavaScript files.
To be clear, we are not talking about JavaScript files commonly used on almost all websites, but about .JS files distributed by hackers as attachments or downloads that can run outside of a web browser.
JavaScript files seen distributed by Magniber threat actors are digitally signed using an embedded base64-encoded signature block, as described in this Microsoft support article.
![JavaScript file used to install the Magniber Ransomware](https://oponame.com/wp-content/uploads/2022/10/1666521465_509_Exploited-Windows-zero-day-allows-JavaScript-files-to-bypass-security-warnings.jpg)
Source: BleepingComputer
After being analyzed by Will Dormansenior vulnerability analyst at ANALYGENCE, he discovered that the attackers signed these files with a malformed key.
![Malformed signature in a malicious JavaScript file](https://oponame.com/wp-content/uploads/2022/10/1666521465_934_Exploited-Windows-zero-day-allows-JavaScript-files-to-bypass-security-warnings.jpg)
Source: BleepingComputer
When signed in this way, even if the JS file was downloaded from the internet and received a MoTW flag, Microsoft would not display the security warning and the script would automatically run to install the ransomware Magniber.
Dormann then tested the use of this malformed signature in JavaScript files and was able to create proof-of-concept JavaScript files that would circumvent the MoTW warning.
These two JavaScript (.JS) files were shared with BleepingComputer and, as you can see below, they were both web-branded, as indicated by the red boxes, when downloaded from BleepingComputer. ‘a website.
![Mark-of-the-Web on Dormann's PoC exploits](https://oponame.com/wp-content/uploads/2022/10/1666521465_331_Exploited-Windows-zero-day-allows-JavaScript-files-to-bypass-security-warnings.jpg)
Source: BleepingComputer
The difference between the two files is that one is signed using the same malformed key from the Magniber files, and the other contains no signature.
![Dormann's PoC exploits](https://oponame.com/wp-content/uploads/2022/10/1666521465_612_Exploited-Windows-zero-day-allows-JavaScript-files-to-bypass-security-warnings.jpg)
Source: BleepingComputer
When the unsigned file is opened in Windows 10, a MoTW security warning is displayed correctly.
However, when you double-click “calc-othersig.js”, which is signed with a malformed key, Windows does not show a security warning and just executes the JavaSript code as shown below.
![Demonstration of Windows zero-day bypassing security warnings](https://oponame.com/wp-content/uploads/2022/10/Exploited-Windows-zero-day-allows-JavaScript-files-to-bypass-security-warnings.gif)
Source: BleepingComputer
Using this technique, hackers can bypass the normal security warnings displayed when opening downloaded JS files and automatically run the script.
BleepingComputer was able to reproduce the bug in Windows 10. However, for Windows 11 the bug would only trigger when running the JS file directly from an archive.
Dormann told BleepingComputer he believes this bug was first introduced with the release of Windows 10 because a fully patched Windows 8.1 device shows the MoTW security warning as expected.
And the fully patched 8.1 version does it right.
So I will say it is fair to say that this bug was introduced with the release of Windows 10. pic.twitter.com/jJbP9quvL6— Will Dormann (@wdormann) October 20, 2022
According to Dormann, the bug stems from the new SmartScreen feature “Verify apps and files” in Windows 10 under Windows Security > Application and browser control > Reputation-based protection settings.
“This issue relates to the new SmartScreen feature in Win10. And disabling ‘Verify Apps and Files’ reverts Windows to legacy behavior, where MotW prompts are not tied to Authenticode signatures,” Dormann told BleepingComputer.
“So this whole setting is unfortunately currently a compromise. On the one hand, it’s looking for bad guys that are uploaded.”
“On the other hand, bad guys who take advantage of this bug may get LESS SECURE behavior from Windows compared to when the feature is disabled.”
The zero-day vulnerability is of particular concern because we know threat actors are actively exploiting it in ransomware attacks.
Dormann shared the proof-of-concept with Microsoft, which said it couldn’t replicate the MoTW security warnings bypass.
However, Microsoft told BleepingComputer that it is aware of the reported issue and is investigating.
Updated 22/10/22
After this article was published, Dormann told BleepingComputer that hackers can modify any Authenticode-signed file, including executables (.EXE), to bypass MoTW security warnings.
To do this, Dormann says a signed executable can be edited using a hex editor to alter certain bytes in the signature portion of the file and thus corrupt the signature.
Can we do the same with a signed EXE file?
Sure! Why not?
We have a virtual machine with no internet connectivity, so we’ll see a SmartScreen warning when we know it’s being checked.
Signed calcxp.exe – (verified with SmartScreen)
One byte change in sig – (No SmartScreen check)
pic.twitter.com/4WwdDBpU0a— Will Dormann (@wdormann) October 18, 2022
Once the signature is corrupted, Windows will not check the file using SmartScreen, as if a MoTW flag was not present, and will allow it to run.
“Files that have a MotW are treated as if there is no MotW if the signature is corrupted. The real-world difference depends on the file type,” Dormann explained.
#Exploited #Windows #zeroday #JavaScript #files #bypass #security #warnings