Windows Zero-Day Exploited in Targeted Attacks by 'PowerPool' Group
6.9.2018 securityweek Exploit
A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.
The flaw was disclosed on August 27 by a researcher who uses the online moniker “SandboxEscaper.” The security hole was not reported to Microsoft before its details were made public – including a compiled exploit and its source code – as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.
Other members of the industry quickly confirmed the vulnerability, which seems to affect the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to SYSTEM by overwriting files that should normally be protected by filesystem access control lists (ACLs).
The public exploit has been confirmed to work on 64-bit versions of Windows 10 and Windows Server 2016, with the possibility to adapt it for 32-bit systems as well.
Microsoft has launched an investigation, but it has yet to release a patch or provide mitigations. While the tech giant initially suggested that a fix may be released with its regular Patch Tuesday updates, the company may roll out a patch sooner now that the vulnerability has been exploited in malicious attacks.
In the meantime, 0patch has released an unofficial fix for the vulnerability and CERT/CC’s advisory for the bug describes some mitigations.
According to ESET, the local privilege escalation vulnerability has been exploited by a newly uncovered group it tracks as PowerPool. Based on the security firm’s telemetry and malware samples uploaded to VirusTotal, the threat actor appears to have leveraged the Windows zero-day against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines and Poland.
ESET researchers determined that PowerPool slightly modified the publicly available exploit source code and recompiled it for its attacks.
The hackers, whose possible origins have not been discussed by the security firm, have used the zero-day to overwrite C:\Program Files(x86)\Google\Update\GoogleUpdate.exe, a legitimate updater for Google applications. Since this file is regularly executed in Windows with administrative privileges, overwriting it with their malware has allowed the attackers to obtain elevated permissions on the targeted system.
ESET believes PowerPool attacks begin with a malware-carrying email being sent to the targeted user. While the campaign involving the zero-day appears to be highly targeted, an interesting spam campaign spotted by SANS in May, which used Symbolic Link (.slk) files for malware distribution, was apparently carried out by the same group.
The first stage malware used by PowerPool, which is delivered via the initial emails, is a backdoor designed for reconnaissance purposes. If the infected machine presents an interest to the attackers, the malware downloads a second stage backdoor capable of executing commands on the system, uploading and downloading files, killing processes, and listing folders.
The files downloaded by the second stage malware to compromised devices include several open source tools that allow the attackers to move laterally on the network. The list includes PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.
ESET has described this second stage malware as “clearly not a state-of-the-art APT backdoor.”
“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.