Attackers Use Multiple Techniques to Bypass Reputation-Based Security

Reputation-based security controls may be less effective at protecting organizations against unsafe Web applications and content than many assume.

A new study by researchers at Elastic Security found attackers have developed several effective techniques over the past few years to bypass mechanisms that block or allow applications and content based on their reputation and trustworthiness.

Multiple Available Techniques

The techniques include using digitally signed malware tools to make them appear legit, as well as reputation hijacking, reputation tampering, and specially crafted LNK files. "Reputation-based protection systems are a powerful layer for blocking commodity malware," Elastic Security researcher Joe Desimone wrote in a report this week. "However, like any protection technique, they have weaknesses that can be bypassed with some care."

For the study, the researchers used Microsoft Windows Smart App Control (SAC) and SmartScreen technologies as examples of a reputation-based mechanism for which attackers have developed bypasses.

SmartScreen is a feature that Microsoft introduced with Windows 8 to protect users against malicious website applications and file downloads. It verifies whether files that have the Mark of the Web (MoTW) on them — or files that Windows tags as downloaded from the Internet — can be trusted. Smart App Control became available with Windows 11. It uses Microsoft's threat intelligence service to determine if an application is trustworthy enough to run or not. If the threat intelligence is unable to determine an app's trustworthiness, SAC verifies if the app is digitally signed before allowing it to run.

The researchers at Elastic Security discovered that attackers have multiple ways around these protections.

LNK Stomping Around MoTW

One common way that attackers have used as a way around Smart App Control is by signing their malware with an extended validation (EV) SSL certificate, Elastic Security said. Though certificate authorities require proof of identity before they issue an EV to a requesting entity, threat actors have found ways to address this requirement by impersonating legitimate businesses. In other instances, they have used specially crafted and invalid code signing signatures to JavaScript and MSI files to bypass MoTW checks. For the past six years at least, attackers have also abused a weakness in how Windows handles shortcut files (LNK) to essentially strip the MoTW from malicious LNK files and sneak them past SmartScreen said Elastic Security, which has dubbed the tactic "LNK Stomping."

Reputation hijacking — where an attacker exploits the good reputation of trusted applications, websites and other entities — is another tactic. Elastic Security found that attackers often target trusted script hosts — or programs that execute scripts — such as Lua, Node.js, and AutoHotkey for this type of attack. The bypass involves placing malicious content where the trusted script host will automatically find and execute it during its normal course. "Script hosts are an ideal target for a reputation hijacking attack. This is especially true if they include a foreign function interface (FFI) capability," Desimone wrote. "With FFI, attackers can easily load and execute arbitrary code and malware in memory."

Elastic Security also found attackers using a technique called reputation seeding to bypass reputation-based filtering mechanisms. For these attacks, threat actors first introduce their own seemingly benign binaries or executable files into a target system and wait for them to build up a positive reputation over time. Another variation is introducing a legit application with a known vulnerability to a target environment for later use. "Smart App Control appears vulnerable to seeding," Desimone said in his report. "After executing a sample on one machine, it received a good label after approximately 2 hours."

The security vendor recommends that organizations bolster their security by using behavior analysis tools to monitor for common attack tactics such as credential access, enumeration, in-memory evasion, persistence, and lateral movement.