Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/5/2018
05:26 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

PowerPool Malware Uses Windows Zero-Day Posted on Twitter

Researchers detected the vulnerability in an attack campaign two days after it was posted on social media.

There are several good reasons why you shouldn't post zero-day exploits on social media. For starters, lurking attackers will snatch the code and leverage it in a malware campaign.

Such is the case with a Microsoft Windows zero-day bug shared on Twitter last week. Two days after the vulnerability and proof-of-concept was posted on Twitter and GitHub, respectively, ESET researchers identified the exploit in a campaign from the PowerPool threat group.

The vulnerability, first shared in a (now deleted) tweet on August 27, affects the Advanced Local Procedure Call (ALPC) function within the Windows Task Manager in  Windows 7 through Windows 10. The flaw allows Local Privilege Escalation (LPE), which lets an executable escalate privileges and allows restricted users launch a process to gain administrative control.

Twitter user SandboxEscaper, who sent the initial post, linked back to a GitHub repository with PoC code. It didn't take long for attackers to modify and recompile the exploit. PowerPool, which has a range of tools already at its disposal, took advantage.

PowerPool has a small bunch of targets, researchers explain in a blog post on the discovery. It may be too early to tell, but few occurrences indicate recipients are carefully chosen and not part of a spam campaign. ESET telemetry and uploads to VirusTotal (experts only accounted for manual uploads from the Web interface) indicate affected countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

"We guess this is an espionage campaign, due to the nature of their backdoors," says ESET malware researcher Matthieu Faou. "However, their malware are basic and cannot be compared to the ones developed by most APT groups."

While this campaign is more targeted, PowerPool has previously launched spam attacks. ESET data shows the group has been active since 2017 but hasn't been linked to any public breaches.

But First, They Changed the Code

PowerPool didn't use the exact binary that SandboxEscaper posted. Instead, they modified and recompiled the source code to insert their own malware and gain system privileges. The binary provided at the time of disclosure is a PoC showing how to exploit the flaw, Faou explains. It's not really malicious, he says, because it will ultimately execute notepad.exe with system privileges. PowerPool wanted to execute their own malware.

The flaw is in the SchRpcSetSecurity API function, which doesn't correctly check user permissions. This grants anyone write access to files in the Task Manager regardless of their rights; as a result, people with read-only access can replace content in write-protected files or create a file within the folder to link to, and gain write access to, any target file.

The exploit can also be used to replace content of protected target files with malicious code, giving malware admin rights. PowerPool chose to weaponize the vuln by changing the content of GoogleUpdate.exe, the updater for Google apps typically run under admin privileges by a Microsoft Windows task. Once they have write access, they overwrite GoogleUpdate.exe with a copy of their second-stage malware to gain system rights when the updater is next called.

The group uses a few different tactics for initial compromise, one of which involves emails with their first-stage malware as an attachment. From there, attackers primarily use two different backdoors: one deployed after the initial compromise and a second-stage backdoor.

The first-stage backdoor does reconnaissance on the machine and includes two executables. First of these is the main backdoor; this establishes persistence through a service and collects proxy information. The C&C server's address is included in this binary, which can execute commands and send information on the target device back to the C&C server. The second executable captures a screenshot of the target's display and exfiltrates it through the backdoor.

Next up is the second backdoor, which is malware downloaded via the first stage. Researchers speculate this is when the operators determine the machine is interesting enough to warrant further analysis; however, "it is clearly not a state-of-the-art APT backdoor," they report.

Once attackers gain persistent access to a machine with the second backdoor, they leverage open-source tools (mostly written in PowerShell) to move laterally throughout the network.

Vulnerability Disclosure 101

Faou says the nature of this disclosure made weaponization simple for PowerPool.

"First, what is really important in this vulnerability disclosure is the release of the source code of the exploit, and not only a compiled version of it," he explains. "Thus, this is easy for malware developers to reuse it in their malware."

In contrast, when only a compiled version is available, malware developers first should reverse-engineer the exploit before including their malware. The process can be time-consuming, he says, and difficult to finish before a patch is issued for the bug.

Security researchers who discover vulnerabilities should coordinate disclosure with the vendor, giving them time to issue a fix before the bug is made public, Faou continues. This protects users; it's unlikely vulnerabilities will be used in massive campaigns before public disclosure.

While this campaign only targets a limited pool of victims, ESET researchers still urge caution: "…it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available," they say.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...