Wednesday, January 15, 2025
HomeComputer SecurityHackers Started Exploiting the Unpatched Windows Task Scheduler Zero Day Flaw using...

Hackers Started Exploiting the Unpatched Windows Task Scheduler Zero Day Flaw using Malware

Published on

Malicious Hackers created a malware with an exploit for an unpatched Microsoft Zero-day flaw that was revealed a few days before by Belgium security researcher in Twitter.

Microsoft Windows OS from Windows 7 to Windows 10 and Windows Server 2016 systems have been affected by this Local Privilege Escalation flow in Advanced Local Procedure Call (ALPC) function.

Proof-of-Concept code for this exploit has been released in the GitHub repository which can modify and recompile by anyone in order to improve the attack vector as adding the evade detection techniques.

Now, an unknown cybercrime group named as PowerPool started using this exploit as a malicious campaign to attack the vulnerable victims across many countries including Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

Attackers modified the Source code

Malware authors from PowerPool modified the source code slightly and recompiled it and they did not reuse the binary that was provided by the original exploit author.

A Serious flow discovered in the SchRpcSetSecurity API function allow user can have write permissions on any file in C:\Windows\Task regardless of its actual permissions because API function doesn’t check the user’s permissions correctly.

This flaw allows a user who is having read one permission can able to write in C:\Windows\Task and it is possible to create a file in this folder that is a hard link to any target file.

                                Exploit Original Author Description 

Later we can gain write access to that target file by calling the broken function  SchRpcSetSecurity.

In this case, PowerPool ’s malware author chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe which is one of the legitimate Google updaters.

Here an attacker abuse of SchRpcCreateFolder to change the permissions of the Google Updater executable.

Above PowerPool operators allows gaining write access to the executable GoogleUpdate.exe. 

Initial Stage of Attack

The initial stage of attack started with a spam email with an attached malicious file which is first stage of attack with PowerShell code.

“Also PowerPool group mainly uses two different backdoors: a first-stage backdoor used just after the first compromise and then a second-stage backdoor, probably on the most interesting machines.”

According to ESET research, This is basic malware used for reconnaissance on the machine. It comprises two Windows executables and the Second-stage backdoor is downloaded via the first stage, presumably when the operators believe the machine is interesting enough for them to stay on it for a longer time.

Once the attacker successfully gains access to a machine with the second-stage backdoor they will start using the several open-source tools to perform further attacks.

Indicators of compromise

Hashes

SHA-1TypeDetection name
038f75dcf1e5277565c68d57fa1f4f7b3005f3f3First stage backdoorWin32/Agent.SZS
247b542af23ad9c63697428c7b77348681aadc9aFirst stage backdoorWin32/Agent.TCH
0423672fe9201c325e33f296595fb70dcd81bcd9Second stage backdoorWin32/Agent.TIA
b4ec4837d07ff64e34947296e73732171d1c1586Second stage backdoorWin32/Agent.TIA
9dc173d4d4f74765b5fc1e1c9a2d188d5387beeaALPC LPE exploitWin64/Exploit.Agent.H
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Aembit Announces Speaker Lineup for the Inaugural NHIcon

Aembit, the non-human identity and access management (IAM) company, unveiled the full agenda for...

Sweet Security Introduces Patent-Pending LLM-Powered Detection Engine, Reducing Cloud Detection Noise to 0.04%

Sweet Security, a leader in cloud runtime detection and response, today announced the launch...

ShadowSyndicate Hackers Added RansomHub Ransomware to their Arsenal

ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated...

5,000 WordPress Sites Hacked in New WP3.XYZ Malware Attack

Widespread malware campaigns detected by side crawlers exploit vulnerabilities on multiple websites where the...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

Credit Card Skimmer Hits WordPress Checkout Pages, Stealing Payment Data

Researchers analyzed a new stealthy credit card skimmer that targets WordPress checkout pages by...

Hackers Exploiting YouTube to Spread Malware That Steals Browser Data

Malware actors leverage popular platforms like YouTube and social media to distribute fake installers....