Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page Exploited Windows zero-day lets JavaScript files bypass security warnings

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 04-29-2025, 06:23 AM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default


A new Windows zero-day allows threat actors to use malicious JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.
Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.
The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called 'Zone.Identifier,' which can be viewed using the 'dir /R' command and opened directly in Notepad, as shown below.

The Mark-of-the-Web alternate data stream
This 'Zone.Identifier' alternate data stream includes what URL security zone the file is from (three equals the Internet), the referrer, and the URL to the file.
When a user attempts to open a file with the Mark-of-the-Web flag, Windows will display a warning that the file should be treated with caution.
"While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software," reads the warning from Windows.

Windows security warning when opening files with MoTW flags
Microsoft Office also utilizes the MoTW flag to determine if the file should be opened in Protected View, causing macros to be disabled.
Windows MoTW bypass zero-day flaw
The HP threat intelligence team recently reported that threat actors are infecting devices with Magniber ransomware using JavaScript files.
However, these JavaScript files were digitally signed using an embedded base64 encoded signature block as described in this Microsoft support article.

JavaScript file used to install the Magniber Ransomware
After being analyzed by Will Dormann, a senior vulnerability analyst at ANALYGENCE, he discovered that the attackers signed these files with a malformed key.

Malformed signature in malicious JavaScript file
When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware.
Dormann further tested the use of this malformed signature in JavaScript files and was able to create proof-of-concept JavaScript files that would bypass the MoTW warning.
Both of these JavaScript (.JS) files were shared with BleepingComputer, and as you can see below, they both received a Mark-of-the-Web, as indicated by the red boxes, when downloaded from a website.

Mark-of-the-Web on Dormann's PoC exploits
The difference between the two files is that one is signed using the same malformed key from the Magniber files, and the other contains no signature at all.

Dormann's PoC Exploits
When the unsigned file is opened in Windows 10, a MoTW security warning is properly displayed.
However, when double-clicking the 'calc-othersig.js,' which is signed with a malformed key, Windows does not display a security warning and simply executes the JavaSript code, as demonstrated below.

Demonstration of the Windows zero-day bypassing security warnings
Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.
BleepingComputer was able to reproduce the bug in Windows 10. However, for Windows 11, the bug would only trigger when running the JS file directly from an archive.
Dormann told BleepingComputer that he believes this bug was first introduced with the release of Windows 10, as a fully patched Windows 8.1 device displays the MoTW security warning as expected.

According to Dormann, the bug stems from Windows 10's new 'Check apps and files' SmartScreen feature under Windows Security > App & Browser Control > Reputation-based protection settings.
"This issue is in the new-as-of-Win10 SmartScreen feature. And disabling "Check apps and files" reverts Windows to the legacy behavior, where MotW prompts are unrelated to Authenticode signatures," Dormann told BleepingComputer.
"So that whole setting is unfortunately currently a tradeoff. On one hand, it does scan for baddies that are downloaded."
"On the other, baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled."
The zero-day vulnerability is particularly concerning as we know threat actors are actively exploiting it in ransomware attacks.
Dormann shared the proof-of-concept with Microsoft, who said they could not reproduce the MoTW security warning bypass.
However, Microsoft told BleepingComputer that they are aware of the reported issue and are investigating it.
 

Tags
NULL

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 10:39 AM.

Contact Us - Carder.life - Archive - Top