In Windows 10, Microsoft added a new ransomware protection feature called Controlled Folder Access that can be used to prevent modifications to files in protected folders by unknown programs.

At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.

Bypassing Controlled Folder Access using DLL injection

Controlled Folder Access is a feature that allows you to protect folders and the files inside them so that they can only be modified by an application that is whitelisted. The whitelisted applications are either ones that you specify or ones that are whitelisted by default by Microsoft.

Knowing that the explorer.exe program is whitelisted in Controlled Folder Access, Soya Aoyama, a security researcher at Fujitsu System Integration Laboratories Ltd., figured out a way to inject a malicious DLL into Explorer when it is started. Since Explorer is whitelisted, when the DLL is injected it will launch and be able to bypass the ransomware protection feature.

To do this, Aoyama relied on the fact that when explorer.exe starts, it will load DLLs found under the HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers registry key shown below.

The HKEY_CLASSES_ROOT tree is a merge of registry information found in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. When performing the merge, Windows gives the data in the HKCU tree precedence.

This means that if a key exists in HKCU, it would take precedence over the same key in HKLM, and be the data merged into the HKEY_CLASSES_ROOT tree. I know this can be a bit confusing, so you can read this document for more information.

By default, when explorer starts it loads Shell32.dll from the HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32 key. To load the malicious DLL into explorer.exe instead, Aoyama simply created a HKCU\Software\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32 key and set its default value to the malicious DLL.

Now when Explorer.exe is killed and restarted, the malicious DLL will be launched inside explorer.exe rather than Shell32.dll. You can see an example of the DLL injected into explorer.exe below.

Unfortunately, not only did this bypass the Controlled Folder Access, but it also was not detected by Windows Defender. To be fair, according to Aoyama's tests, it was not detected by Avast, ESET, Malwarebytes Premium, and McAfee - all of which have ransomware protection.

For more details and to see Aoyama's DerbyCon talk and demonstration, you can view the video below.

MSRC responds to vulnerability report

Aoyama has stated that before he gave this presentation he had responsibly disclosed this vulnerability to the Microsoft Security Response Center and included a proof-of-concept that could be used to bypass Controlled Folder Access.

Microsoft, though, did not feel that this was a vulnerability that warranted a bounty or that requires a patch.

"If I am interpreting your findings correctly, this report predicated on the attacker having login access to the target's account already," stated Microsoft's response to Aoyama. "Followed by planting a DLL through registry modifications. Since you are only able to write to the HKCU, you will not be able to effect other users, just the target you have already compromised through other means. There also does not appear to be an escalation privileges and you already had the same access level as the target."

Unfortunately a ransomware does not need an escalation of privileges to encrypt a victim's computer. Yes, it needs it for the clearing of shadow volume copies, but a malware developer can use other exploits or methods to execute vssadmin.

What this does allow, is for malware to be installed without administrative privileges and still be able to bypass the ransomware protection of Controlled Folder Access. This does not sound like a good thing.