Friday, March 29, 2024

Hackers Started Exploiting the Unpatched Windows Task Scheduler Zero Day Flaw using Malware

Malicious Hackers created a malware with an exploit for an unpatched Microsoft Zero-day flaw that was revealed a few days before by Belgium security researcher in Twitter.

Microsoft Windows OS from Windows 7 to Windows 10 and Windows Server 2016 systems have been affected by this Local Privilege Escalation flow in Advanced Local Procedure Call (ALPC) function.

Proof-of-Concept code for this exploit has been released in the GitHub repository which can modify and recompile by anyone in order to improve the attack vector as adding the evade detection techniques.

Now, an unknown cybercrime group named as PowerPool started using this exploit as a malicious campaign to attack the vulnerable victims across many countries including Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

Attackers modified the Source code

Malware authors from PowerPool modified the source code slightly and recompiled it and they did not reuse the binary that was provided by the original exploit author.

A Serious flow discovered in the SchRpcSetSecurity API function allow user can have write permissions on any file in C:\Windows\Task regardless of its actual permissions because API function doesn’t check the user’s permissions correctly.

This flaw allows a user who is having read one permission can able to write in C:\Windows\Task and it is possible to create a file in this folder that is a hard link to any target file.

                                Exploit Original Author Description 

Later we can gain write access to that target file by calling the broken function  SchRpcSetSecurity.

In this case, PowerPool ’s malware author chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe which is one of the legitimate Google updaters.

Here an attacker abuse of SchRpcCreateFolder to change the permissions of the Google Updater executable.

Above PowerPool operators allows gaining write access to the executable GoogleUpdate.exe. 

Initial Stage of Attack

The initial stage of attack started with a spam email with an attached malicious file which is first stage of attack with PowerShell code.

“Also PowerPool group mainly uses two different backdoors: a first-stage backdoor used just after the first compromise and then a second-stage backdoor, probably on the most interesting machines.”

According to ESET research, This is basic malware used for reconnaissance on the machine. It comprises two Windows executables and the Second-stage backdoor is downloaded via the first stage, presumably when the operators believe the machine is interesting enough for them to stay on it for a longer time.

Once the attacker successfully gains access to a machine with the second-stage backdoor they will start using the several open-source tools to perform further attacks.

Indicators of compromise

Hashes

SHA-1TypeDetection name
038f75dcf1e5277565c68d57fa1f4f7b3005f3f3First stage backdoorWin32/Agent.SZS
247b542af23ad9c63697428c7b77348681aadc9aFirst stage backdoorWin32/Agent.TCH
0423672fe9201c325e33f296595fb70dcd81bcd9Second stage backdoorWin32/Agent.TIA
b4ec4837d07ff64e34947296e73732171d1c1586Second stage backdoorWin32/Agent.TIA
9dc173d4d4f74765b5fc1e1c9a2d188d5387beeaALPC LPE exploitWin64/Exploit.Agent.H
Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles