A recent study conducted by researchers at Elastic Security has uncovered concerning findings regarding the effectiveness of reputation-based security controls in protecting organizations against unsafe web applications and content. The researchers have discovered that attackers have developed sophisticated techniques to bypass mechanisms that rely on reputation and trustworthiness to either block or allow applications and content.
According to the study, attackers have employed various tactics over the past few years to circumvent reputation-based protection systems. These techniques include the use of digitally signed malware tools to make them appear legitimate, reputation hijacking, reputation tampering, and the manipulation of specially crafted LNK files. While reputation-based protection systems are considered a robust layer for blocking common malware, they are not infallible and can be bypassed with careful planning, as noted by Elastic Security researcher Joe Desimone in a recent report.
The researchers utilized Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of reputation-based mechanisms that attackers have successfully bypassed. SmartScreen, introduced by Microsoft with Windows 8, aims to protect users from malicious website applications and file downloads by verifying the trustworthiness of files bearing the Mark of the Web (MoTW). On the other hand, Smart App Control, available with Windows 11, relies on Microsoft’s threat intelligence service to assess the trustworthiness of applications before allowing them to run.
Elastic Security uncovered that attackers have devised multiple methods to evade these protections. One common approach involves signing malware with an extended validation (EV) SSL certificate, despite the stringent identity verification requirements of certificate authorities. Threat actors have also resorted to using invalid code signing signatures on JavaScript and MSI files to bypass MoTW checks. Additionally, attackers have exploited a vulnerability in how Windows handles shortcut files (LNK) to bypass SmartScreen, a maneuver referred to as “LNK Stomping.”
Reputation hijacking is another prevalent tactic employed by attackers, where they exploit the reputable status of trusted applications and websites. Elastic Security found that attackers often target trusted script hosts, such as Lua, Node.js, and AutoHotkey, to execute malicious content within these environments. Another technique, known as reputation seeding, involves introducing seemingly benign files into a system to accumulate a positive reputation over time or introducing a legitimate application with a known vulnerability for future exploitation.
To enhance security posture against these advanced attack tactics, Elastic Security recommends that organizations leverage behavior analysis tools to monitor for key indicators of compromise, such as credential access, enumeration, in-memory evasion, persistence, and lateral movement. By incorporating proactive security measures and staying vigilant against evolving threats, organizations can better safeguard their infrastructure and data against sophisticated cyber threats.