Exploit for Critical Windows Defender Bypass Goes Public

A proof-of-concept exploit (PoC) has become available for a critical zero-day vulnerability in the Windows SmartScreen technology.

Microsoft issued a patch for the issue in its November Patch Tuesday security update, but the bug was already under active exploit at the time as a zero-day. Now, the PoC further heightens the need for organizations to address the bug, if they haven't done so already.

Security Bypass for Getting Past Defender

CVE-2023-36025 is a security bypass flaw that gives attackers a way to sneak malicious code past Windows Defender SmartScreen checks without triggering any alerts. To exploit the flaw, an attacker would need to get a user to click on a maliciously crafted Internet shortcut (.URL) or a link pointing to such a file.

Microsoft has identified the bug as involving low attack complexity, requiring only low privileges and exploitable over the Internet. The vulnerability is present in Windows 10, Windows 11, and in Windows Server 2008 and later releases. Several security researchers earlier this month had described CVE-2023-36025 as being among the higher priority bugs to fix from Microsoft's November update.

The recent release of a PoC Internet shortcut file that an attacker could use to exploit CVE-2023-36025 is sure to heighten concerns around the vulnerability.

The script basically shows how an attacker could generate a seemingly legitimate looking but malicious .URL file and distribute it via a phishing email. "This .URL file points to a malicious website but could be presented as something legitimate," the researcher who wrote the attack script noted. "An attacker could deliver this crafted .URL file via phishing emails or through compromised websites."

A user tricked into clicking on the file would land directly on the malicious site or execute malicious code without receiving any of the usual warnings from SmartScreen.

"The exploitation of CVE-2023-36025 can lead to successful phishing attacks, malware distribution, and other cybersecurity threats," the researcher said.

APT Group TA544 Among Those Abusing Flaw

Among those targeting CVE-2023-36025 is TA544, a financially motivated, advanced persistent threat (APT) actor that Proofpoint and others have been tracking since at least 2017. Over the years, the threat group has used a variety of malware tools in campaigns targeting organizations in western Europe and Japan. But it is best known for distributing the Ursnif (aka Gozi) banking Trojan, and more recently a sophisticated second-stage downloader dubbed WikiLoader.

This week, a researcher at Proofpoint reported observing TA544 abusing CVE-2023-36025 in a campaign involving Remcos, a remote access Trojan that various threat actors have used over the years to remotely control and monitor compromised Windows devices. For the present campaign, the threat actor has established a unique webpage with links that direct users to a .URL file containing a path to a virtual hard disk (.vhd) file or to a .zip file hosted on a compromised website. CVE-2023-36025 gives the attackers a way to automatically mount the VHD on systems just by opening the .URL file, the researcher said.

"SmartScreen is used by Windows to prevent phishing attacks or access to malicious websites and the download of untrusted or potentially malicious files," Kev Breen, senior director of threat research at Immersive Labs, had noted when Microsoft first disclosed the SmartScreen vulnerability earlier this month. "This vulnerability suggests that a specially crafted file could be used by attackers to bypass this check, reducing the overall security of the operating system."

CVE-2023-36025 is the third zero-day bug in SmartScreen that Microsoft has disclosed so far this year. In February, researchers at Google found a threat actor abusing a previously unknown SmartScreen vulnerability to drop Magniber ransomware on target systems. Microsoft assigned the vulnerability as CVE-2023-24880 and issued a patch for it in March.

In July, the company patched CVE-2023-32049, a security bypass vulnerability in SmartScreen that threat actors were already actively exploiting at the time of patching.