A complicated zero-click assault methodology referred to as RenderShock that exploits passive file preview and indexing behaviors in trendy working programs to execute malicious payloads with out requiring any person interplay.
Not like conventional phishing campaigns that depend on customers clicking malicious hyperlinks or opening contaminated attachments, RenderShock leverages built-in system automation options to realize compromise via authentic background processes.
Key Takeaways1. RenderShock assaults exploit file preview programs with out requiring person interplay.2. Impacts Home windows Explorer, macOS Fast Look, and automated file indexing providers.3. Makes use of malicious LNK recordsdata, PDFs, and Workplace paperwork to set off NTLM theft and code execution.4. Allows credential harvesting and distant entry; requires disabling preview panes and blocking SMB visitors.
RenderShock 0-Click on Vulnerability
CYFIRMA reviews that RenderShock targets a number of passive execution surfaces that mechanically have interaction with file content material with out specific person motion.
The vulnerability impacts Home windows Explorer Preview Pane, macOS Fast Look, e-mail shopper preview programs, and file indexing providers, together with Home windows Search Indexer and Highlight.
RenderShock Passive Execution Circulate
These programs course of recordsdata in reminiscence, usually invoking registered preview handlers that may set off malicious code execution.
The assault methodology exploits preview subsystems by embedding malicious logic in doc metadata, using UNC paths for NTLM credential harvesting, and leveraging Workplace macro execution throughout preview rendering.
For instance, a crafted PDF with exterior references can set off outbound SMB connections when processed by preview handlers, doubtlessly leaking NTLMv2 hashes to attacker-controlled servers.
RenderShock employs each foundational and superior payload strategies. Foundational payloads embody malicious LNK recordsdata with UNC icon paths that trigger Home windows Explorer to provoke NTLM authentication when searching folders, and RTF recordsdata containing INCLUDEPICTURE discipline injections that fetch distant sources throughout preview.
Superior strategies contain polyglot file codecs that confuse a number of parsers, distant template injection in Workplace paperwork with out macros, and poisoned ICC coloration profiles in photographs.
A typical assault chain includes making a malicious .lnk file with a distant icon path (attacker-ipicon.ico), embedding it in a ZIP archive, and delivering it via helpdesk portals or shared directories.
When customers preview the ZIP contents, Home windows mechanically makes an attempt to load the distant icon, triggering SMB authentication requests that may be intercepted utilizing instruments like Responder:
Mitigations
The vulnerability permits a number of assault vectors, together with reconnaissance via passive beacons, credential theft through NTLMv2 harvesting, and distant code execution via preview-based macro execution.
Attackers can obtain persistence by inserting malicious .desktop recordsdata or LaunchAgents in trusted autostart directories, and carry out lateral motion utilizing harvested credentials.
Safety groups ought to implement complete defenses, together with disabling preview panes in Home windows Explorer and Fast Look on macOS, blocking outbound SMB visitors (TCP 445) to untrusted networks, and implementing macro blocking via Group Coverage.
Organizations should additionally deploy behavioral monitoring to detect uncommon community exercise from preview-related processes like explorer.exe, searchindexer.exe, and quicklookd.
The RenderShock framework demonstrates that trendy computing environments’ emphasis on person comfort creates silent execution paths that require no interplay, basically difficult conventional safety assumptions about file-based assaults and necessitating a reevaluation of how programs deal with passive file processing.
Examine stay malware conduct, hint each step of an assault, and make quicker, smarter safety choices -> Attempt ANY.RUN now
