Application Security

9/5/2018
05:26 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

PowerPool Malware Uses Windows Zero-Day Posted on Twitter

Researchers detected the vulnerability in an attack campaign two days after it was posted on social media.

There are several good reasons why you shouldn't post zero-day exploits on social media. For starters, lurking attackers will snatch the code and leverage it in a malware campaign.

Such is the case with a Microsoft Windows zero-day bug shared on Twitter last week. Two days after the vulnerability and proof-of-concept was posted on Twitter and GitHub, respectively, ESET researchers identified the exploit in a campaign from the PowerPool threat group.

The vulnerability, first shared in a (now deleted) tweet on August 27, affects the Advanced Local Procedure Call (ALPC) function within the Windows Task Manager in  Windows 7 through Windows 10. The flaw allows Local Privilege Escalation (LPE), which lets an executable escalate privileges and allows restricted users launch a process to gain administrative control.

Twitter user SandboxEscaper, who sent the initial post, linked back to a GitHub repository with PoC code. It didn't take long for attackers to modify and recompile the exploit. PowerPool, which has a range of tools already at its disposal, took advantage.

PowerPool has a small bunch of targets, researchers explain in a blog post on the discovery. It may be too early to tell, but few occurrences indicate recipients are carefully chosen and not part of a spam campaign. ESET telemetry and uploads to VirusTotal (experts only accounted for manual uploads from the Web interface) indicate affected countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

"We guess this is an espionage campaign, due to the nature of their backdoors," says ESET malware researcher Matthieu Faou. "However, their malware are basic and cannot be compared to the ones developed by most APT groups."

While this campaign is more targeted, PowerPool has previously launched spam attacks. ESET data shows the group has been active since 2017 but hasn't been linked to any public breaches.

But First, They Changed the Code

PowerPool didn't use the exact binary that SandboxEscaper posted. Instead, they modified and recompiled the source code to insert their own malware and gain system privileges. The binary provided at the time of disclosure is a PoC showing how to exploit the flaw, Faou explains. It's not really malicious, he says, because it will ultimately execute notepad.exe with system privileges. PowerPool wanted to execute their own malware.

The flaw is in the SchRpcSetSecurity API function, which doesn't correctly check user permissions. This grants anyone write access to files in the Task Manager regardless of their rights; as a result, people with read-only access can replace content in write-protected files or create a file within the folder to link to, and gain write access to, any target file.

The exploit can also be used to replace content of protected target files with malicious code, giving malware admin rights. PowerPool chose to weaponize the vuln by changing the content of GoogleUpdate.exe, the updater for Google apps typically run under admin privileges by a Microsoft Windows task. Once they have write access, they overwrite GoogleUpdate.exe with a copy of their second-stage malware to gain system rights when the updater is next called.

The group uses a few different tactics for initial compromise, one of which involves emails with their first-stage malware as an attachment. From there, attackers primarily use two different backdoors: one deployed after the initial compromise and a second-stage backdoor.

The first-stage backdoor does reconnaissance on the machine and includes two executables. First of these is the main backdoor; this establishes persistence through a service and collects proxy information. The C&C server's address is included in this binary, which can execute commands and send information on the target device back to the C&C server. The second executable captures a screenshot of the target's display and exfiltrates it through the backdoor.

Next up is the second backdoor, which is malware downloaded via the first stage. Researchers speculate this is when the operators determine the machine is interesting enough to warrant further analysis; however, "it is clearly not a state-of-the-art APT backdoor," they report.

Once attackers gain persistent access to a machine with the second backdoor, they leverage open-source tools (mostly written in PowerShell) to move laterally throughout the network.

Vulnerability Disclosure 101

Faou says the nature of this disclosure made weaponization simple for PowerPool.

"First, what is really important in this vulnerability disclosure is the release of the source code of the exploit, and not only a compiled version of it," he explains. "Thus, this is easy for malware developers to reuse it in their malware."

In contrast, when only a compiled version is available, malware developers first should reverse-engineer the exploit before including their malware. The process can be time-consuming, he says, and difficult to finish before a patch is issued for the bug.

Security researchers who discover vulnerabilities should coordinate disclosure with the vendor, giving them time to issue a fix before the bug is made public, Faou continues. This protects users; it's unlikely vulnerabilities will be used in massive campaigns before public disclosure.

While this campaign only targets a limited pool of victims, ESET researchers still urge caution: "…it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available," they say.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19301
PUBLISHED: 2018-11-15
tp4a TELEPORT 3.1.0 allows XSS via the login page because a crafted username is mishandled when an administrator later views the system log.
CVE-2018-5407
PUBLISHED: 2018-11-15
Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.
CVE-2018-14934
PUBLISHED: 2018-11-15
The Bluetooth subsystem on Polycom Trio devices with software before 5.5.4 has Incorrect Access Control. An attacker can connect without authentication and subsequently record audio from the device microphone.
CVE-2018-14935
PUBLISHED: 2018-11-15
The Web administration console on Polycom Trio devices with software before 5.5.4 has XSS.
CVE-2018-16619
PUBLISHED: 2018-11-15
Sonatype Nexus Repository Manager before 3.14 allows XSS.