Microsoft Patches MotW Zero-Day Exploited for Malware Delivery

Microsoft’s latest Patch Tuesday updates address six zero-day vulnerabilities, including one related to the Mark-of-the-Web (MotW) security feature that has been exploited by cybercriminals to deliver malware.

Windows adds the MotW to files coming from untrusted locations, including browser downloads and email attachments. When trying to open files with the MotW, users are warned about the potential risks or, in the case of Office, macros are blocked to prevent malicious code execution.

However, there are ways to bypass MotW defenses. Researcher Will Dormann has identified three different MotW bypass methods and informed Microsoft about them over the summer, but patches were only rolled out now, and only for two of the vulnerabilities. The techniques work against all or most versions of Windows.

One of the methods involves delivering the malicious file inside a ZIP archive. If the malicious file is extracted, it will have the MotW and the user gets a warning. However, if the file is executed directly from within the archive, Windows runs it without any warning. This issue is tracked as CVE-2022-41049 and it has been patched by Microsoft with its November Patch Tuesday updates.

Another MotW bypass method involves making the malicious file ‘read only’ and placing it inside a ZIP archive. When the file is extracted, Windows attempts to set the MotW, but fails, which means the file will be executed by Windows without any warning.

This vulnerability is tracked as CVE-2022-41091 and it has been fixed by Microsoft on Tuesday. This is the method that Microsoft has confirmed as being exploited in the wild.

“An attacker can craft a malicious file that would evade MotW defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MotW tagging,” Microsoft said in its advisory, noting that exploitation of the vulnerability requires user interaction.

HP security researchers recently analyzed a Magniber ransomware campaign that had used the technique to deliver the malware.

Rich Warren of the NCC Group, who has also been looking into this issue, has also seen some attacks, saying in mid-October that he had seen malicious samples going back at least 10 months. Warren has also made available some Yara rules to help detect ZIP files that attempt to exploit the vulnerability. 

After patches were released, Microsoft’s Bill Demirkapi clarified that the company has been working on patching the actively exploited vulnerability since July. The company learned about the issue from multiple researchers.

“This is only the beginning — changes take time,” Demirkapi explained. “There are still variants and other MotW issues that we recently became aware of. Although MotW bypasses do not typically meet MSRC’s bar for servicing, we can make exceptions for issues that are exploited in-the-wild.”

The MotW bypass vulnerability that remains unpatched is related to corrupt Authenticode. If a file has a malformed Authenticode signature, the warning dialog is not displayed.

Cybersecurity firm proofpoint reporter in July that threat actors had been bypassing MotW by delivering Office documents inside container file formats such as IMG, ISO, RAR and ZIP. 

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Related: Microsoft Patches Vulnerability Allowing Full Access to Azure Service Fabric Clusters