Application Security

9/5/2018
05:26 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

PowerPool Malware Uses Windows Zero-Day Posted on Twitter

Researchers detected the vulnerability in an attack campaign two days after it was posted on social media.

There are several good reasons why you shouldn't post zero-day exploits on social media. For starters, lurking attackers will snatch the code and leverage it in a malware campaign.

Such is the case with a Microsoft Windows zero-day bug shared on Twitter last week. Two days after the vulnerability and proof-of-concept was posted on Twitter and GitHub, respectively, ESET researchers identified the exploit in a campaign from the PowerPool threat group.

The vulnerability, first shared in a (now deleted) tweet on August 27, affects the Advanced Local Procedure Call (ALPC) function within the Windows Task Manager in  Windows 7 through Windows 10. The flaw allows Local Privilege Escalation (LPE), which lets an executable escalate privileges and allows restricted users launch a process to gain administrative control.

Twitter user SandboxEscaper, who sent the initial post, linked back to a GitHub repository with PoC code. It didn't take long for attackers to modify and recompile the exploit. PowerPool, which has a range of tools already at its disposal, took advantage.

PowerPool has a small bunch of targets, researchers explain in a blog post on the discovery. It may be too early to tell, but few occurrences indicate recipients are carefully chosen and not part of a spam campaign. ESET telemetry and uploads to VirusTotal (experts only accounted for manual uploads from the Web interface) indicate affected countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

"We guess this is an espionage campaign, due to the nature of their backdoors," says ESET malware researcher Matthieu Faou. "However, their malware are basic and cannot be compared to the ones developed by most APT groups."

While this campaign is more targeted, PowerPool has previously launched spam attacks. ESET data shows the group has been active since 2017 but hasn't been linked to any public breaches.

But First, They Changed the Code

PowerPool didn't use the exact binary that SandboxEscaper posted. Instead, they modified and recompiled the source code to insert their own malware and gain system privileges. The binary provided at the time of disclosure is a PoC showing how to exploit the flaw, Faou explains. It's not really malicious, he says, because it will ultimately execute notepad.exe with system privileges. PowerPool wanted to execute their own malware.

The flaw is in the SchRpcSetSecurity API function, which doesn't correctly check user permissions. This grants anyone write access to files in the Task Manager regardless of their rights; as a result, people with read-only access can replace content in write-protected files or create a file within the folder to link to, and gain write access to, any target file.

The exploit can also be used to replace content of protected target files with malicious code, giving malware admin rights. PowerPool chose to weaponize the vuln by changing the content of GoogleUpdate.exe, the updater for Google apps typically run under admin privileges by a Microsoft Windows task. Once they have write access, they overwrite GoogleUpdate.exe with a copy of their second-stage malware to gain system rights when the updater is next called.

The group uses a few different tactics for initial compromise, one of which involves emails with their first-stage malware as an attachment. From there, attackers primarily use two different backdoors: one deployed after the initial compromise and a second-stage backdoor.

The first-stage backdoor does reconnaissance on the machine and includes two executables. First of these is the main backdoor; this establishes persistence through a service and collects proxy information. The C&C server's address is included in this binary, which can execute commands and send information on the target device back to the C&C server. The second executable captures a screenshot of the target's display and exfiltrates it through the backdoor.

Next up is the second backdoor, which is malware downloaded via the first stage. Researchers speculate this is when the operators determine the machine is interesting enough to warrant further analysis; however, "it is clearly not a state-of-the-art APT backdoor," they report.

Once attackers gain persistent access to a machine with the second backdoor, they leverage open-source tools (mostly written in PowerShell) to move laterally throughout the network.

Vulnerability Disclosure 101

Faou says the nature of this disclosure made weaponization simple for PowerPool.

"First, what is really important in this vulnerability disclosure is the release of the source code of the exploit, and not only a compiled version of it," he explains. "Thus, this is easy for malware developers to reuse it in their malware."

In contrast, when only a compiled version is available, malware developers first should reverse-engineer the exploit before including their malware. The process can be time-consuming, he says, and difficult to finish before a patch is issued for the bug.

Security researchers who discover vulnerabilities should coordinate disclosure with the vendor, giving them time to issue a fix before the bug is made public, Faou continues. This protects users; it's unlikely vulnerabilities will be used in massive campaigns before public disclosure.

While this campaign only targets a limited pool of victims, ESET researchers still urge caution: "…it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available," they say.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: When they asked me to do a pen test, I wasn't thinking of this!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...