Friday, July 6, 2018

New macro-less technique to distribute malware using .SettingsContent-ms

There's a new infection vector can be tapped into, one that circumvents the current protection settings and even Microsoft's new Attack Surface Reduction technology.

.SettingContent-ms file type is a format that was introduced in Windows 10 and allows a user to create shortcuts to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

A modified ControlPanel.settingcontent-ms file to run calc.exe

<?xml version-"1.0" encoding-"UTF-8"?>
 <SearchableContent xmlns=" com/Search/2013/SettingContent">
   <DeepLink>cmd.exe /c calc.exe</DeepLink>
   <Description>@shel132.dll, -4161</Description>
   <Keywords>@shel132. dll, -4161</Keywords>

This feature can be abused because one of its elements (DeepLink) allows for any binary with parameters to be executed. All that an attacker needs to do is add his own command using Powershell.exe or Cmd.exe, as typical with most attacks.

By embedding a specially-crafted settings file into an Office document, an attacker can trick a user to run malicious code without any further warning or notification.

Embedded OLE .settingcontenct-ms object when click could trick user to open content

How to Prevent these Attacks

1) Use my simple hack to force Poweshell a UAC pop-up, allowing you to deny script launches.
2) add to AVP 


No comments:

Post a Comment