Security News > 2024 > August > Researchers unearth MotW bypass technique used by threat actors for years
Threat actors have been abusing a bug in how Windows handles LNK files with non-standard target paths and internal structures to prevent in-built protections from stopping malicious payloads and trick users into running them.
If the file is not listed, SmartScreen will prevent the file from being executed and show a warning.
Microsoft SmartScreen checks files marked with MOTW against an allow list.
If the file isn't listed, SmartScreen alerts the user that the file is unknown and prevents it from executing unless the user insists on running it.
This latest technique, which the researchers have named "LNK stomping", allows attackers to bypass Mark-of-the-Web controls by crafting LNK files so that they have non-standard target paths or internal structures.
Such a file forces Windows to canonicalize/"Fix" the path/structure, thus "Rewriting" the file and removing the MotW metadata.
News URL
https://www.helpnetsecurity.com/2024/08/06/motw-bypass-lnk-stomping/
Related news
- Threat actors are stepping up their tactics to bypass email protections (source)
- Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections (source)
- Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS (source)
- MUT-1244 targeting security researchers, red teamers, and threat actors (source)