An update was added to the end of the article explaining that any Authenticode-signed file, including executables, can be modified to bypass warnings.
Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.
The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called ‘Zone.Identifier,’ which can be viewed using the ‘dir /R’ command and opened directly in Notepad, as shown below.
This ‘Zone.Identifier’ alternate data stream includes what URL security zone the file is from (three equals the Internet), the referrer, and the URL to the file.
When a user attempts to open a file with the Mark-of-the-Web flag, Windows will display a warning that the file should be treated with caution.
“While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” reads the warning from Windows.
Microsoft Office also utilizes the MoTW flag to determine if the file should be opened in Protected View, causing macros to be disabled.
Windows MoTW bypass zero-day flaw
When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware.
The difference between the two files is that one is signed using the same malformed key from the Magniber files, and the other contains no signature at all.
When the unsigned file is opened in Windows 10, a MoTW security warning is properly displayed.
However, when double-clicking the ‘calc-othersig.js,’ which is signed with a malformed key, Windows does not display a security warning and simply executes the JavaSript code, as demonstrated below.
Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.
BleepingComputer was able to reproduce the bug in Windows 10. However, for Windows 11, the bug would only trigger when running the JS file directly from an archive.
Dormann told BleepingComputer that he believes this bug was first introduced with the release of Windows 10, as a fully patched Windows 8.1 device displays the MoTW security warning as expected.
And fully-patched 8.1 gets it right.
So I’ll say it’s fair to say that this bug was introduced with the release of Windows 10. pic.twitter.com/jJbP9quvL6
— Will Dormann (@wdormann) October 20, 2022
According to Dormann, the bug stems from Windows 10’s new ‘Check apps and files’ SmartScreen feature under Windows Security > App & Browser Control > Reputation-based protection settings.
“This issue is in the new-as-of-Win10 SmartScreen feature. And disabling “Check apps and files” reverts Windows to the legacy behavior, where MotW prompts are unrelated to Authenticode signatures,” Dormann told BleepingComputer.
“So that whole setting is unfortunately currently a tradeoff. On one hand, it does scan for baddies that are downloaded.”
“On the other, baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled.”
The zero-day vulnerability is particularly concerning as we know threat actors are actively exploiting it in ransomware attacks.
Dormann shared the proof-of-concept with Microsoft, who said they could not reproduce the MoTW security warning bypass.
However, Microsoft told BleepingComputer that they are aware of the reported issue and are investigating it.
After the publication of this article, Dormann told BleepingComputer that threat actors could modify any Authenticode-signed file, including executables (.EXE), to bypass the MoTW security warnings.
To do this, Dormann says that a signed executable can be modified using a hex editor to change some of the bytes in the signature portion of the file and thus corrupt the signature.
Can we do the same trick with a signed EXE file?
Sure! Why not?
We have a VM without internet connectivity, so we’ll see a SmartScreen warning when we know it’s being checked.
Signed calcxp.exe – (Checked w/ SmartScreen)
Modified a byte in sig – (No SmartScreen check)
— Will Dormann (@wdormann) October 18, 2022
Once the signature is corrupted, Windows will not check the file using SmartScreen, as if a MoTW flag was not present, and allow it to run.
“Files that have a MotW are treated as if there were no MotW if the signature is corrupt. What real-world difference that makes depends on what type of file it is,” explained Dormann.