Windows Task Scheduler

Malicious Hackers created a malware with an exploit for an unpatched Microsoft Zero-day flaw that was revealed a few days before by Belgium security researcher in Twitter.

Microsoft Windows OS from Windows 7 to Windows 10 and Windows Server 2016 systems have been affected by this Local Privilege Escalation flow in Advanced Local Procedure Call (ALPC) function.

Proof-of-Concept code for this exploit has been released in the GitHub repository which can modify and recompile by anyone in order to improve the attack vector as adding the evade detection techniques.

Now, an unknown cybercrime group named as PowerPool started using this exploit as a malicious campaign to attack the vulnerable victims across many countries including Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

Attackers modified the Source code

Malware authors from PowerPool modified the source code slightly and recompiled it and they did not reuse the binary that was provided by the original exploit author.

A Serious flow discovered in the SchRpcSetSecurity API function allow user can have write permissions on any file in C:\Windows\Task regardless of its actual permissions because API function doesn’t check the user’s permissions correctly.

This flaw allows a user who is having read one permission can able to write in C:\Windows\Task and it is possible to create a file in this folder that is a hard link to any target file.

                                Exploit Original Author Description 

Later we can gain write access to that target file by calling the broken function  SchRpcSetSecurity.

In this case, PowerPool ’s malware author chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe which is one of the legitimate Google updaters.

Here an attacker abuse of SchRpcCreateFolder to change the permissions of the Google Updater executable.

Above PowerPool operators allows gaining write access to the executable GoogleUpdate.exe. 

Initial Stage of Attack

The initial stage of attack started with a spam email with an attached malicious file which is first stage of attack with PowerShell code.

“Also PowerPool group mainly uses two different backdoors: a first-stage backdoor used just after the first compromise and then a second-stage backdoor, probably on the most interesting machines.”

According to ESET research, This is basic malware used for reconnaissance on the machine. It comprises two Windows executables and the Second-stage backdoor is downloaded via the first stage, presumably when the operators believe the machine is interesting enough for them to stay on it for a longer time.

Once the attacker successfully gains access to a machine with the second-stage backdoor they will start using the several open-source tools to perform further attacks.

Indicators of compromise

Hashes

SHA-1 Type Detection name
038f75dcf1e5277565c68d57fa1f4f7b3005f3f3 First stage backdoor Win32/Agent.SZS
247b542af23ad9c63697428c7b77348681aadc9a First stage backdoor Win32/Agent.TCH
0423672fe9201c325e33f296595fb70dcd81bcd9 Second stage backdoor Win32/Agent.TIA
b4ec4837d07ff64e34947296e73732171d1c1586 Second stage backdoor Win32/Agent.TIA
9dc173d4d4f74765b5fc1e1c9a2d188d5387beea ALPC LPE exploit Win64/Exploit.Agent.H