Threat Actors Seek to Avoid Detection Using Reputation Control Bypasses

====================

TL; DR

While Microsoft in recent months and in 2023 has resolved security bypasses associated with Microsoft Windows Smart App Control, a more recent bypass “may be fixed” in a future Windows Update (more details below). Reputation based security controls should not be relied upon in isolation.

Update: September 2024: As of 10th September 2024, Microsoft resolved this vulnerability with this security update. As above, even with the update applied, reputation based security controls should not be relied upon in isolation.

?====================

Threat actors are continuously seeking new means for their malware not to be detected. If successful, malware such as trojans and information stealers can be deployed. One means of bypassing detection is to evade reputation-based controls such as Microsoft Windows Smart App Control and Microsoft Windows Defender SmartScreen.

?

What is Smart App Control?

Smart App Control is a security feature of Windows 11 that compliments the security features offered by Windows Defender. Smart App Control is a reputation-based protection mechanism which seeks to offer a low rate of false positives.

Smart App Control’s goal is to add a further layer of defence against malware and unwanted applications by checking with Microsoft’s cloud security service to determine if the application has been seen before and can be trusted? If it’s believed to be safe, its allowed to run. If there are indications it’s an unwanted or a malicious application, it will be blocked.

If for any reason the cloud service is unavailable, the digital signature of the application is checked. If the signature is valid the application is permitted to run. If the signature is invalid or not present, the application will be blocked.

What is SmartScreen?

Microsoft Windows Defender SmartScreen is the predecessor of Smart App Control introduced in Windows 8. It performed reputation checks against any file or application downloaded from the internet (using the Mark of the Web (MotW) as an indicator)

Can Smart App Control be bypassed? Yes, there are several known means of bypassing Smart App Control that fall in the following categories:

• Reputation Hijacking
• Reputation Seeding
• Reputation Tampering
• Signed Malware
• LNK Stomping

In the case of LNK Stomping, this is a recently documented technique but is known to have been in use since 2018. Elastic Security Labs recently disclosed this technique of Smart App Control bypassing to Microsoft. However, Microsoft have stated this class of bypass may be fixed in a future Windows update.

How have reputation-based controls been bypassed recently and in the past?

In June 2024, Microsoft resolved the vulnerability designated CVE-2024-38213. It had been used in March 2024 by the operators of the DarkGate malware group to deploy malware disguised as Apple iTunes and Nvidia software (among others).

Other examples of bypasses are listed below:

March 2024

CVE-2024-21412 (an earlier exploit again used by the DarkGate malware group) and by the DarkMe remote access trojan (RAT)

February 2024

CVE-2024-29988 : SmartScreen bypass (bypass of the patch for CVE-2204-21412) used by the Water Hydra hacking group

November 2023

CVE-2023-36025 ; used to deploy Phemedrone malware

?

What is Gatekeeper?

Similar to Smart App Control, Gatekeep for Apple macOS is a security feature that checks all applications downloaded from the internet to check if they have a received a developer signature from Apple. This is carried out by checking an extended attribute of the downloaded application known as com.apple.quarantine (similar to the Mark of the Web, mentioned above).

Recommendations

For security teams within organisations, security controls such as Windows Smart App Control and Windows Defender Smartscreen can be bypassed and should not be solely relied upon. Defenders should be able to detect malware persistence, fileless malware (namely in memory only), suspicious use of credentials and lateral movement of threat actors (all areas detectable with an XDR solution). In addition, methods to check legitimacy of downloaded files should be employed e.g. anti-malware software.

Thank you.

?

Acknowledgements: My thanks to Microsoft, Bleeping Computer and Trend Micro for the references linked to within this post.

Image Credit: https://unsplash.com/@tylergm