Cybersecurity researchers have identified design weaknesses in Microsoft’s Windows Smart App Control and SmartScreen, which could allow threat actors to gain initial access to target environments without triggering any alerts.
Smart App Control (SAC) is a cloud-powered security feature introduced by Microsoft in Windows 11. It aims to block malicious, untrusted, and potentially unwanted apps from running on the system. If SAC cannot predict an app’s behavior, it checks whether the app is signed or has a valid signature before allowing it to execute.
SmartScreen, released with Windows 10, is a similar security feature that assesses whether a website or a downloaded app is potentially malicious. It employs a reputation-based approach for URL and app protection.
“Microsoft Defender SmartScreen evaluates a website’s URLs to determine if they’re known to distribute or host unsafe content,” Redmond notes in its documentation. “It also provides reputation checks for apps, examining downloaded programs and the digital signature used to sign a file. If a URL, file, app, or certificate has an established reputation, users don’t see any warnings. If there’s no reputation, the item is marked as a higher risk and presents a warning to the user.”
When SAC is enabled, it replaces and disables Defender SmartScreen.
“Smart App Control and SmartScreen have fundamental design weaknesses that can allow initial access with no security warnings and minimal user interaction,” Elastic Security Labs reported to The Hacker News.
One of the easiest ways to bypass these protections is by getting an app signed with a legitimate Extended Validation (EV) certificate, a technique already exploited by malicious actors to distribute malware, as seen in the case of HotPage.
Other methods for detection evasion include:
– Reputation Hijacking: Identifying and repurposing apps with a good reputation to bypass the system (e.g., JamPlus or a known AutoHotkey interpreter).
– Reputation Seeding: Using an attacker-controlled binary that appears innocuous to trigger malicious behavior due to a vulnerability in an application or after a certain time has elapsed.
– Reputation Tampering: Altering sections of a legitimate binary (e.g., calculator) to inject shellcode without losing its overall reputation.
– LNK Stomping: Exploiting a bug in the way Windows shortcut (LNK) files are handled to remove the mark-of-the-web (MotW) tag and bypass SAC protections. This involves crafting LNK files with non-standard target paths or internal structures. When clicked, these LNK files are modified by explorer.exe with canonical formatting, removing the MotW label before security checks are performed.
Elastic Security Labs found in-the-wild exploits using LNK stomping as early as February 2018, based on artifacts submitted to VirusTotal, indicating that threat actors have been aware of this bypass for years.
“Reputation-based protection systems are a powerful layer for blocking commodity malware,” the company said. “However, like any protection technique, they have weaknesses that can be bypassed with some care. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area.”
