Copy2Pwn (Exploit Kit) – Malware

Overview

The Copy2Pwn exploit, identified as CVE-2024-38213, has emerged as a significant threat to Windows systems by bypassing critical security protections in a manner that allows remote code execution (RCE). This vulnerability, discovered by Trend Micro’s Zero Day Initiative (ZDI), exploits a flaw in how Windows handles files copied from WebDAV shares, a protocol used for authoring and sharing web content. Unlike traditional file transfers via browsers, which trigger Mark-of-the-Web (MotW) protections on downloaded files, files copied through WebDAV shares bypass these protections altogether. This oversight allows threat actors to deploy malicious payloads that evade standard security defenses, including Windows Defender SmartScreen and Microsoft Office Protected View, leaving users exposed to potential cyberattacks.

The vulnerability was first discovered during an investigation into DarkGate operators, a cybercriminal group leveraging copy-and-paste tactics to infect users. The threat actors targeted WebDAV shares to host malicious payloads, relying on the inherent flaws in how Windows processes these files. Unlike files downloaded directly through browsers, which are tagged with the MotW indicator to signal that they come from an untrusted source, files copied from WebDAV shares were treated similarly to those retrieved from SMB (Server Message Block) shares, bypassing the MotW flag. This issue became a critical entry point for malware deployment, as it allowed files to be copied and executed without triggering the usual security prompts or reputation checks.

Targets

Information

How they operate

WebDAV, which stands for Web-based Distributed Authoring and Versioning, is an extension to the Hypertext Transfer Protocol (HTTP) that provides capabilities for authoring and managing files on remote servers. While WebDAV is typically accessed through web browsers such as Microsoft Edge or Google Chrome, which apply the MotW flag to files originating from untrusted sources, Windows operating systems also allow access to WebDAV shares through Windows Explorer using UNC paths (Universal Naming Convention), such as \\10.37.129.2@80\example_webdav_folder. When accessed this way, files are handled directly by the Windows OS rather than through a web browser, which leads to a major security gap.

The MotW flag is a security feature in Windows that marks files downloaded from untrusted sources (like the web) with an NTFS Alternate Data Stream (ADS) named Zone.Identifier. The presence of this flag triggers various protections, such as warnings from Windows Defender SmartScreen and Microsoft Office Protected View, which prevent users from executing potentially dangerous files, such as executables or files with embedded malicious macros. Files with the MotW flag are treated as untrusted, and their execution is restricted. However, in the case of WebDAV shares accessed via Windows Explorer, the operating system does not consistently apply the MotW flag to copied files, leaving them unprotected when copied to local machines.

This inconsistency occurs because Windows handles WebDAV shares much like SMB (Server Message Block) shares, which are typically trusted locations within local networks. When a file is copied from a WebDAV share accessed through Windows Explorer, it is transferred directly from the network location to the local system without triggering the MotW flag, even though it originated from an external source. This absence of the MotW designation means that critical security checks like reputation and signature checks by Windows Defender SmartScreen are bypassed, and files can be opened without warning, even if they contain malicious code. The exploit allows attackers to leverage this flaw to distribute malware that runs undetected by the usual security measures.

To exploit the Copy2Pwn vulnerability, threat actors take advantage of the file-handling behavior in Windows Explorer. They craft files hosted on WebDAV shares to appear harmless by using decoy icons or file names, making them appear as legitimate documents, shortcuts, or compressed archives. By carefully designing the Windows search protocol, attackers can manipulate the search results presented to the user, displaying only the malicious files they want the victim to interact with. For example, they can modify the file’s icon or file extension (e.g., making a malicious executable file look like a harmless .txt file), tricking the user into executing a file that bypasses Windows’ usual security defenses.

Once a victim unwittingly opens one of these files, the malicious code embedded within it is executed, which can lead to remote code execution. Since the file was not marked as untrusted, no warning is presented, and no protection mechanisms such as Microsoft Office Protected View are triggered. This can give attackers the ability to gain control over the victim’s system, steal sensitive data, or install further malicious software.

The Copy2Pwn exploit was discovered during an investigation into a DarkGate cybercriminal campaign that used WebDAV shares for payload distribution. The attackers took advantage of this flaw to distribute malware through copy-and-paste operations, evading traditional defenses. Microsoft’s patch, released in June 2024, addressed the issue by ensuring that files copied from WebDAV shares are now properly marked with the MotW flag, thereby reactivating the security checks that were previously bypassed. However, the exploit demonstrates the complexities of modern attack techniques and the importance of continuous vigilance and timely updates in cybersecurity.

References:

• CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections