Researchers unearth MotW bypass technique used by threat actors for years

2024-08-06 11:28

Threat actors have been abusing a bug in how Windows handles LNK files with non-standard target paths and internal structures to prevent in-built protections from stopping malicious payloads and trick users into running them.

If the file is not listed, SmartScreen will prevent the file from being executed and show a warning.

Microsoft SmartScreen checks files marked with MOTW against an allow list.

If the file isn't listed, SmartScreen alerts the user that the file is unknown and prevents it from executing unless the user insists on running it.

This latest technique, which the researchers have named "LNK stomping", allows attackers to bypass Mark-of-the-Web controls by crafting LNK files so that they have non-standard target paths or internal structures.

Such a file forces Windows to canonicalize/"Fix" the path/structure, thus "Rewriting" the file and removing the MotW metadata.

News URL

https://www.helpnetsecurity.com/2024/08/06/motw-bypass-lnk-stomping/

#bypass #researcher #threat

News URL

Related news