ContentSettings-ms file

Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June.

The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs.

Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim’s system.

More SettingContent-ms exploits detected each day

With each passing day, more and more exploits are being uploaded on VirusTotal. FireEye security researcher Nick Carr has been avidly tracking these uploads for the past two weeks and has been documenting new findings in Twitter threads like this, this, this, this, or this.

But while previous uploads have been mostly inept tests [1, 2], in recent days, crooks have also put together the first exploit chain that uses a SettingsContent-ms file to actually download and install an actual malware sample.

For example, according to Carr, this SettingContent-ms file will download and run an EXE file that contains the Remcos remote access trojan (RAT).

While you could attribute some of these VirusTotal uploads to security researchers playing around with Nelson’s PoC, the discovery of a weaponized exploit suggests some malware distributors are serious about their tests and telling about their intentions.

Jérôme Segura, a Malwarebytes security researcher who also penned a blog post about the weaponized SettingContent-ms exploit that Carr discovered told Bleeping Computer he also expects this to be integrated into live distribution campaigns.

“Its name ‘quotation’ is very much like a lure we see in malspam,” Segura said referring to the VT upload’s name of “Quotation_Request_Sheet.SettingContent-ms.”

Is it OK to publish offensive hacking techniques?

But the rise in weaponized SettingContent-ms exploits uploaded on VirusTotal has also sparked discussions in the infosec community about the practice of blogging about offensive hacking tricks, like the Nelson article about the SettingContent-ms technique.

You can follow the discussion via this Twitter thread, and see opinions that support keeping such techniques secret, while others argue that “security through obscurity” only helps attackers.

One of the most interesting replies in this conversation came from Justin Warner, technical director at cyber-security firm ICEBRG.

“A really interesting side effect of releasing the tradecraft is funneling actors to predictable behaviors, that are generally documented and easily studied after release,” Warner said. “[A public offensive hacking technique] lures threats to predictable detection points.”

Image credits: Nick Carr



Please enter your comment!
Please enter your name here