Hackers have been exploiting Windows Smart App Control vulnerabilities for 6 years

Cybersecurity researchers at Elastic Security Labs have discovered design flaws in Windows Smart App Control (SAC) and SmartScreen that allow attackers to gain initial access without security warnings or pop-ups.

For those who don’t know, Microsoft (Defender) SmartScreen has been a built-in feature of the operating system since its introduction in Windows 8.

Protects against phishing or malware on websites and applications and downloading potentially malicious files. Works on files that have the “Mark of the Web” (MotW) and are clicked by users.

With the release of Windows 11, Microsoft introduced Smart App Control (SAC), an evolution of SmartScreen.

SAC combines Microsoft Application Analysis Services and Windows Code Integrity features to protect users from malicious, untrusted (unsigned), or potentially unwanted applications running on the device.

It is worth noting that enabling SAC overrides and disables the Defender SmartScreen feature.

Microsoft also provides undocumented APIs to query file trust level information for SmartScreen and Smart App Control. This allows researchers to develop a tool that displays the trust level of a file.

In an investigative report, Elastic Security Labs details a bug in LNK file handling (called LNK stomping) that could help cybercriminals bypass security by bypassing the Smart App Control security check, which is designed to block untrusted apps.

LNK stomping attacks involve adding crafted and invalid code signatures to JavaScript or MSI files that contain non-standard target paths or internal structures.

When clicked, explorer.exe automatically modifies LNK files with canonical formatting, which removes the MotW label from downloaded files before Windows performs a security check.

“The easiest way to demonstrate this issue is to add a period or space to the executable path of the target file (e.g. powershell.exe). Alternatively, you can create a LNK file containing a relative path such as .\target.exe. Once the link is clicked, explorer.exe will search for and find a matching .exe name, automatically correct the full path, update the file on disk (removing MotW), and finally execute the target,” Elastic Security Labs researchers wrote in their investigative report.

Elastic Security Labs has identified multiple samples containing this bug in the VirusTotal database, indicating that it has been used in practice for many years. The oldest sample was submitted over six years ago, in February 2018.

The research firm shared its findings with the Microsoft Security Response Center (MSRC), which responded that the issue “may be resolved in a future Windows update.”

In addition to LNK Stomping, Elastic Security Labs also described other weaknesses that attackers can exploit to avoid detection, including:

Signed Malware: Signing malware with a code signature or legitimate Extended Validation (EV) certificates will not result in an alert being displayed by Smart App Control or SmartScreen.

Taking over the reputation:It involves finding and using applications with a good reputation in order to bypass the security system.

Sowing Reputation:It involves the use of binaries that may appear harmless and function correctly, only launching an application with known vulnerabilities or malicious code when certain conditions are met or a certain amount of time has passed.

Reputation TStrengthening:It modifies certain sections of a file without changing its reputation, which allows attackers to inject malicious code into trusted binaries.

“Reputation-based protection systems are a powerful layer of protection against malware. However, like any protection technique, they have weaknesses that can be bypassed with a little care,” the company concluded.

“Security teams should carefully review downloaded files against their detection stack and not rely solely on native operating system security features to protect in this area.”

Elastic Security Labs has released an open-source tool to check the trustworthiness of a file in Smart App Control.