Public Release of PoC Exploit for Critical Windows Defender Bypass

November 21, 2023

A PoC exploit is now publicly available for a critical zero-day vulnerability in Windows SmartScreen technology. Microsoft had already issued a patch for this flaw, designated as CVE-2023-36025, in its November Patch Tuesday security update. The bug was being actively exploited as a zero-day at that time, and the release of the PoC further underscores the importance of addressing this vulnerability.

CVE-2023-36025 is a security bypass flaw that allows attackers to slip malicious code past Windows Defender SmartScreen checks without setting off any alarms. The exploitation process involves getting a user to click on a maliciously crafted Internet shortcut (.URL) or a link leading to such a file. Microsoft has characterized the bug as having low attack complexity, needing only minimal privileges, and being exploitable via the Internet. This vulnerability affects Windows 10, Windows 11, and Windows Server 2008 and later versions.

A number of security researchers had previously identified CVE-2023-36025 as a high priority bug to fix from Microsoft's November update. The recent release of a PoC Internet shortcut file that could be used to exploit this vulnerability is likely to raise further concerns. The script demonstrates how an attacker could create a seemingly legitimate but malicious .URL file and distribute it through a phishing email.

The researcher who developed the attack script explained, "This .URL file points to a malicious website but could be presented as something legitimate. An attacker could deliver this crafted .URL file via phishing emails or through compromised websites." If a user is fooled into clicking on the file, they would be taken directly to the malicious site or execute malicious code without receiving any of the usual warnings from SmartScreen. The researcher further stated, "The exploitation of CVE-2023-36025 can lead to successful phishing attacks, malware distribution, and other cybersecurity threats."

Among the threat actors targeting CVE-2023-36025 is TA544, a financially motivated advanced persistent threat (APT) actor that has been monitored by Proofpoint and others since at least 2017. Over the years, this group has utilized a range of malware tools in campaigns aimed at organizations in Western Europe and Japan. It is most notorious for distributing the Ursnif (aka Gozi) banking Trojan, and more recently a sophisticated second-stage downloader known as WikiLoader.

A researcher at Proofpoint reported that TA544 has been exploiting CVE-2023-36025 in a campaign involving Remcos, a remote access Trojan that has been used by various threat actors to remotely control and monitor compromised Windows devices. In the current campaign, the threat actor has set up a unique webpage with links that direct users to a .URL file containing a path to a virtual hard disk (.vhd) file or to a .zip file hosted on a compromised website. With CVE-2023-36025, the attackers can automatically mount the VHD on systems just by opening the .URL file, the researcher explained.

Kev Breen, senior director of threat research at Immersive Labs, commented when Microsoft first revealed the SmartScreen vulnerability, "SmartScreen is used by Windows to prevent phishing attacks or access to malicious websites and the download of untrusted or potentially malicious files. This vulnerability suggests that a specially crafted file could be used by attackers to bypass this check, reducing the overall security of the operating system."

CVE-2023-36025 is the third zero-day bug in SmartScreen that Microsoft has disclosed this year. In February, Google researchers discovered a threat actor exploiting a previously unknown SmartScreen vulnerability to deliver Magniber ransomware on target systems. Microsoft assigned this vulnerability as CVE-2023-24880 and issued a patch for it in March. In July, the company patched CVE-2023-32049, another security bypass vulnerability in SmartScreen that was being actively exploited at the time of patching.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.