Zero Day Initiative threat researchers discovered CVE-2024-38213, a simple and effective way to bypass Windows mark-of-the-web protections leading to remote code execution.In March 2024, Trend Micro’s Zero Day Initiative Threat Hunting team started analyzing samples connected to the activity carried out by DarkGate operators to infect users through copy-and-paste operations. This DarkGate campaign was an update from a previous campaign  in which the DarkGate operators were exploiting a zero-day vulnerability, CVE-2024-21412, which we disclosed to Microsoft earlier this year. The investigation into this campaign directly influenced further vulnerability research into Windows Defender SmartScreen and how files originating from WebDAV shares are handled during copy-and-paste operations. As a result, we discovered and reported CVE-2024-38213 to Microsoft, which they patched in June. This exploit, which we’ve named copy2pwn, results in a file from a WebDAV share being copied locally without Mark-of-the-Web protections.What is Web-based Distributed Authoring and Versioning (WebDAV)?Web-based Distributed Authoring and Versioning (WebDAV) is an extension to the Hypertext Transfer Protocol (HTTP). It provides added functionality to HTTP, including features such as authoring, sharing, and versioning.

Since WebDAV is based on HTTP, WebDAV shares can be accessed through a web browser using the HTTP protocol, for example, at[…]