Sunday, September 8, 2024
HomeComputer SecurityHackers Started Exploiting the Unpatched Windows Task Scheduler Zero Day Flaw using...

Hackers Started Exploiting the Unpatched Windows Task Scheduler Zero Day Flaw using Malware

Published on

Malicious Hackers created a malware with an exploit for an unpatched Microsoft Zero-day flaw that was revealed a few days before by Belgium security researcher in Twitter.

Microsoft Windows OS from Windows 7 to Windows 10 and Windows Server 2016 systems have been affected by this Local Privilege Escalation flow in Advanced Local Procedure Call (ALPC) function.

Proof-of-Concept code for this exploit has been released in the GitHub repository which can modify and recompile by anyone in order to improve the attack vector as adding the evade detection techniques.

- Advertisement - EHA

Now, an unknown cybercrime group named as PowerPool started using this exploit as a malicious campaign to attack the vulnerable victims across many countries including Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

Attackers modified the Source code

Malware authors from PowerPool modified the source code slightly and recompiled it and they did not reuse the binary that was provided by the original exploit author.

A Serious flow discovered in the SchRpcSetSecurity API function allow user can have write permissions on any file in C:\Windows\Task regardless of its actual permissions because API function doesn’t check the user’s permissions correctly.

This flaw allows a user who is having read one permission can able to write in C:\Windows\Task and it is possible to create a file in this folder that is a hard link to any target file.

                                Exploit Original Author Description 

Later we can gain write access to that target file by calling the broken function  SchRpcSetSecurity.

In this case, PowerPool ’s malware author chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe which is one of the legitimate Google updaters.

Here an attacker abuse of SchRpcCreateFolder to change the permissions of the Google Updater executable.

Above PowerPool operators allows gaining write access to the executable GoogleUpdate.exe. 

Initial Stage of Attack

The initial stage of attack started with a spam email with an attached malicious file which is first stage of attack with PowerShell code.

“Also PowerPool group mainly uses two different backdoors: a first-stage backdoor used just after the first compromise and then a second-stage backdoor, probably on the most interesting machines.”

According to ESET research, This is basic malware used for reconnaissance on the machine. It comprises two Windows executables and the Second-stage backdoor is downloaded via the first stage, presumably when the operators believe the machine is interesting enough for them to stay on it for a longer time.

Once the attacker successfully gains access to a machine with the second-stage backdoor they will start using the several open-source tools to perform further attacks.

Indicators of compromise

Hashes

SHA-1TypeDetection name
038f75dcf1e5277565c68d57fa1f4f7b3005f3f3First stage backdoorWin32/Agent.SZS
247b542af23ad9c63697428c7b77348681aadc9aFirst stage backdoorWin32/Agent.TCH
0423672fe9201c325e33f296595fb70dcd81bcd9Second stage backdoorWin32/Agent.TIA
b4ec4837d07ff64e34947296e73732171d1c1586Second stage backdoorWin32/Agent.TIA
9dc173d4d4f74765b5fc1e1c9a2d188d5387beeaALPC LPE exploitWin64/Exploit.Agent.H
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Researchers Unpacked AvNeutralizer EDR Killer Used By FIN7 Group

FIN7 (aka Carbon Spider, ELBRUS, Sangria Tempest) is a Russian APT group that is...

Lazarus Hackers Attacking Job-Seekers to Deliver Javascript Malware

The Lazarus Group is one of the most notorious hacker groups linked to the...