Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Copy2Pwn (Exploit Kit) – Malware

February 13, 2025
Reading Time: 4 mins read
in Exploits, Malware
Copy2Pwn (Exploit Kit) – Malware

Copy2Pwn

Type of Attack

Exploit Kit

Date of Initial Activity

2024

Motivation

Cyberwarfare

Attack Vectors

Software Vulnerabilities

Targeted Systems

Windows

Overview

The Copy2Pwn exploit, identified as CVE-2024-38213, has emerged as a significant threat to Windows systems by bypassing critical security protections in a manner that allows remote code execution (RCE). This vulnerability, discovered by Trend Micro’s Zero Day Initiative (ZDI), exploits a flaw in how Windows handles files copied from WebDAV shares, a protocol used for authoring and sharing web content. Unlike traditional file transfers via browsers, which trigger Mark-of-the-Web (MotW) protections on downloaded files, files copied through WebDAV shares bypass these protections altogether. This oversight allows threat actors to deploy malicious payloads that evade standard security defenses, including Windows Defender SmartScreen and Microsoft Office Protected View, leaving users exposed to potential cyberattacks. The vulnerability was first discovered during an investigation into DarkGate operators, a cybercriminal group leveraging copy-and-paste tactics to infect users. The threat actors targeted WebDAV shares to host malicious payloads, relying on the inherent flaws in how Windows processes these files. Unlike files downloaded directly through browsers, which are tagged with the MotW indicator to signal that they come from an untrusted source, files copied from WebDAV shares were treated similarly to those retrieved from SMB (Server Message Block) shares, bypassing the MotW flag. This issue became a critical entry point for malware deployment, as it allowed files to be copied and executed without triggering the usual security prompts or reputation checks.

Targets

Information

How they operate

WebDAV, which stands for Web-based Distributed Authoring and Versioning, is an extension to the Hypertext Transfer Protocol (HTTP) that provides capabilities for authoring and managing files on remote servers. While WebDAV is typically accessed through web browsers such as Microsoft Edge or Google Chrome, which apply the MotW flag to files originating from untrusted sources, Windows operating systems also allow access to WebDAV shares through Windows Explorer using UNC paths (Universal Naming Convention), such as \\10.37.129.2@80\example_webdav_folder. When accessed this way, files are handled directly by the Windows OS rather than through a web browser, which leads to a major security gap. The MotW flag is a security feature in Windows that marks files downloaded from untrusted sources (like the web) with an NTFS Alternate Data Stream (ADS) named Zone.Identifier. The presence of this flag triggers various protections, such as warnings from Windows Defender SmartScreen and Microsoft Office Protected View, which prevent users from executing potentially dangerous files, such as executables or files with embedded malicious macros. Files with the MotW flag are treated as untrusted, and their execution is restricted. However, in the case of WebDAV shares accessed via Windows Explorer, the operating system does not consistently apply the MotW flag to copied files, leaving them unprotected when copied to local machines. This inconsistency occurs because Windows handles WebDAV shares much like SMB (Server Message Block) shares, which are typically trusted locations within local networks. When a file is copied from a WebDAV share accessed through Windows Explorer, it is transferred directly from the network location to the local system without triggering the MotW flag, even though it originated from an external source. This absence of the MotW designation means that critical security checks like reputation and signature checks by Windows Defender SmartScreen are bypassed, and files can be opened without warning, even if they contain malicious code. The exploit allows attackers to leverage this flaw to distribute malware that runs undetected by the usual security measures. To exploit the Copy2Pwn vulnerability, threat actors take advantage of the file-handling behavior in Windows Explorer. They craft files hosted on WebDAV shares to appear harmless by using decoy icons or file names, making them appear as legitimate documents, shortcuts, or compressed archives. By carefully designing the Windows search protocol, attackers can manipulate the search results presented to the user, displaying only the malicious files they want the victim to interact with. For example, they can modify the file’s icon or file extension (e.g., making a malicious executable file look like a harmless .txt file), tricking the user into executing a file that bypasses Windows’ usual security defenses. Once a victim unwittingly opens one of these files, the malicious code embedded within it is executed, which can lead to remote code execution. Since the file was not marked as untrusted, no warning is presented, and no protection mechanisms such as Microsoft Office Protected View are triggered. This can give attackers the ability to gain control over the victim’s system, steal sensitive data, or install further malicious software. The Copy2Pwn exploit was discovered during an investigation into a DarkGate cybercriminal campaign that used WebDAV shares for payload distribution. The attackers took advantage of this flaw to distribute malware through copy-and-paste operations, evading traditional defenses. Microsoft’s patch, released in June 2024, addressed the issue by ensuring that files copied from WebDAV shares are now properly marked with the MotW flag, thereby reactivating the security checks that were previously bypassed. However, the exploit demonstrates the complexities of modern attack techniques and the importance of continuous vigilance and timely updates in cybersecurity.  
References:
  • CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections
Tags: copy2pwnDarkgateExploit KitMalwareTrend MicroWindowsZero-Day
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial