Picture: Ryoji Iwata
Kaspersky safety researchers found a brand new menace actor dubbed PuzzleMaker, who has used a sequence of Google Chrome and Home windows 10 zero-day exploits in highly-targeted assaults in opposition to a number of corporations worldwide.
Based on Kaspersky, the assaults coordinated by PuzzleMaker have been first noticed throughout mid-April when the primary victims’ networks have been compromised.
Subsequent, the PuzzleMaker menace actors used an elevation of privilege exploit custom-tailored to compromise the most recent Home windows 10 variations by abusing an data disclosure vulnerability within the Home windows kernel (CVE-2021-31955) and a Home windows NTFS privilege escalation bug (CVE-2021-31956), each patched within the June Patch Tuesday.
Malware deployed with system privileges
The attackers abused the Home windows Notification Facility (WNF) along with the CVE-2021-31956 vulnerability to execute malware modules with system privileges on compromised Home windows 10 methods.
“As soon as the attackers have used each the Chrome and Home windows exploits to achieve a foothold within the focused system, the stager module downloads and executes a extra advanced malware dropper from a distant server,” the researchers said.
“This dropper then installs two executables, which fake to be reliable information belonging to Microsoft Home windows OS.
“The second of those two executables is a distant shell module, which is ready to obtain and add information, create processes, sleep for sure durations of time, and delete itself from the contaminated system.”
Chrome and Home windows zero-days galore
This isn’t the primary Chrome zero-day exploit chain used within the wild in latest months.
Challenge Zero, Google’s zero-day bug-hunting staff, unveiled a large-scale operation the place a group of hackers used 11 zero-days to assault Home windows, iOS, and Android customers inside a single 12 months.
The assaults befell in two separate campaigns, in February and October 2020, with at the very least a dozen web sites internet hosting two exploit servers, every of them focusing on iOS and Home windows or Android customers.
Challenge Zero researchers collected a trove of information from the exploit servers used within the two campaigns, together with:
- renderer exploits for 4 bugs in Chrome, one among which was nonetheless a 0-day on the time of the invention
- two sandbox escape exploits abusing three 0-day vulnerabilities in Home windows
- a “privilege escalation equipment” composed of publicly identified n-day exploits for older variations of Android
- one full exploit chain focusing on absolutely patched Home windows 10 utilizing Google Chrome
- two partial chains focusing on 2 totally different absolutely patched Android units operating Android 10 utilizing Google Chrome and Samsung Browser
- a number of RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs current as much as iOS 14.1)
“General, of late, we have been seeing a number of waves of high-profile menace exercise being pushed by zero-day exploits,” added Boris Larin, senior safety researcher with the International Analysis and Evaluation Crew (GReAT).
“It is a reminder that zero days proceed to be the best technique for infecting targets.”
Indicators of compromise (IOCs) together with malware pattern hashes could be discovered on the finish of Kaspersky’s report.