CVE-2024-38213

What is Windows SmartScreen?

Windows SmartScreen is a security feature that evaluates files with the Mark of the Web (MotW) tag — applied to files downloaded from the internet — and displays a warning ("Windows protected your PC") before allowing execution of unrecognized programs. For Office documents, it triggers Protected View. SmartScreen relies entirely on the presence of the MotW Zone.Identifier alternate data stream: if a file arrives on disk without this tag, SmartScreen does not evaluate it and no warning is displayed. Bypassing SmartScreen by preventing MotW application is a common objective for malware delivery campaigns, as it allows malicious executables to run without triggering the user-visible warning that frequently stops infections.

Overview

CVE-2024-38213 is a zero-day SmartScreen security feature bypass vulnerability discovered in the context of DarkGate malware delivery campaigns and patched on August 13, 2024 (August Patch Tuesday). The bypass leverages how Windows handles files accessed from WebDAV shares: when a file is opened directly from a mapped WebDAV network drive, Windows does not apply MotW to the locally cached copy, allowing the file to execute without SmartScreen evaluation. This "copy2pwn" style technique was used to deliver DarkGate — a malware-as-a-service loader widely used for ransomware deployment — through phishing campaigns directing victims to attacker-controlled WebDAV servers.

Affected Versions

Technical Details

CWE-693 (Protection Mechanism Failure). The bypass exploits how Windows processes files from WebDAV-mapped network shares. When a file is accessed from a mapped network drive (including a WebDAV share presented as a drive letter via net use), Windows does not stamp the resulting cached file copy with a Zone.Identifier ADS. The WebDAV protocol serves files over HTTP/HTTPS, but when mounted as a drive, Windows treats the source as a network location rather than an internet download, bypassing the MotW tagging logic that applies to browser and email downloads.

An attacker delivers a malicious file by directing a victim to a WebDAV URL that Windows mounts automatically (via \\server\share UNC path or file:// URL trickery), or by using a phishing email with a link that triggers WebDAV mounting. When the victim opens the file from the resulting mapped drive, no MotW is applied and SmartScreen displays no warning before execution.

Discovery

Discovered by Trend Micro researchers while analyzing DarkGate malware delivery infrastructure. The technique was observed being actively used by DarkGate operators in phishing campaigns before the patch was available. Trend Micro and HP Threat Research published related research on WebDAV-based MotW bypass techniques ("copy2pwn") around the same period.

Exploitation Context

DarkGate is a malware-as-a-service (MaaS) loader operated by multiple criminal groups, used to deliver secondary payloads including Cobalt Strike beacons, ransomware, and information stealers. DarkGate operators actively updated their delivery mechanisms throughout 2024 to bypass new SmartScreen protections — this WebDAV bypass was one of several techniques used after earlier SmartScreen bypass methods (CVE-2024-21412 from February 2024, CVE-2024-29988 from April 2024) were patched. The recurring pattern reflects the high commercial value of SmartScreen bypasses for the malware delivery ecosystem.

Remediation

1. Apply the August 2024 Windows security updates (Patch Tuesday, August 13, 2024) to all affected systems.
2. Block outbound WebDAV traffic (port 445 for SMB/UNC, port 80/443 for HTTP WebDAV) at the network perimeter — WebDAV-based MotW bypass requires the victim's machine to reach an attacker-controlled WebDAV server.
3. Disable WebClient service (WebClient) on endpoints where WebDAV drive mounting is not needed — this prevents Windows from auto-mounting WebDAV shares.
4. Deploy email gateway rules to block or quarantine messages containing \\ UNC paths or WebDAV URLs in HTML email bodies.
5. Ensure endpoint protection can detect DarkGate and related loaders regardless of MotW status, as the bypass disables the user-warning defense layer, not endpoint AV/EDR detection.