Active Spy Campaign Exploits Unpatched Windows Zero-Day

malware keylogger

The PowerPool gang launched its attack just two days after the zero-day in the Windows Task Scheduler was disclosed.

The recently discovered Windows zero-day – which still doesn’t have a patch – has been used in the wild for the last week, with an active info-stealing campaign emerging just two days after its disclosure on Twitter.

The flaw is a local privilege escalation vulnerability in the Windows Task Scheduler’s Advanced Local Procedure Call (ALPC) interface — it allows a local unprivileged user to change the permissions of any file on the system and modify it, including system files that are executed by privileged processes.

Security researcher “SandboxEscaper” spilled the beans on the flaw on August 27 with some amount of frustration in the vulnerability reporting process: “I don’t [redacted] care about life anymore. Neither do I ever again want to submit to MSFT anyway,” the researcher said in a since-deleted tweet, while linking to a proof-of-concept (PoC) exploit code on GitHub.

The PoC was straightforward: “SandboxEscaper’s PoC specifically overwrites a printing-related DLL to make it launch notepad.exe, then triggers the Print Spooler service (spoolsv.exe) to load the DLL,” explained researchers at Barkly, in a blog about the newly-discovered exploit posted Wednesday. “As a result, notepad.exe is spawned as SYSTEM.”

The PoC feature full source code, thus lowering the malware development bar considerably; most PoCs offer only compiled code, which would require reverse-engineering on the part of bad actors.

“It was easy for PowerPool developers to integrate the exploit into their code,” Matthieu Faou, malware researcher at ESET, told Threatpost. “The reverse-engineering of an exploit is generally highly time-consuming.”

So perhaps it’s no surprise that within two days, the PowerPool gang, a known threat group, had modified the PoC to gain write access to the GoogleUpdate.exe function, which is the legitimate updater for Google applications. As such, it runs with admin privileges. According to researchers at ESET, PowerPool has replaced the updater with a malicious executable that is thus launched with elevated privileges whenever the updater is called.

According to ESET researchers, the PowerPool group initially compromises victims via spear-phishing emails with a malicious attachment. The emails use a typical “you have not settled this invoice” lure.

That attachment – no word on the format, but PowerPool has used tricky Symbolic Link (.slk) file attachments in the past  – is a first-stage malware with two Windows executables, used for reconnaissance on the machine.

The main executable is a backdoor that establishes persistence and collects basic machine and proxy information; it then exfiltrates the data to the command-and-control (C2) server. ESET said that it can also execute commands. The other executable only does one thing: It takes a screenshot of the victim’s display and sends it to the C2.

If the attackers decide that the victim machine looks like a good prize, the first-stage backdoor fetches a second-stage malware, which is more rudimentary than the usual APT backdoor, ESET researchers noted. However, it uses the zero-day exploit to elevate its privileges to system admin, which gives the attackers an unfettered view to other parts of the network.

The team found that the second-stage code thus downloads an array of open-source lateral-movement tools, mostly written in PowerShell. Among other things, these can retrieve usernames and hashes from the Security Account Manager (SAM); perform pass-the-hash SMB connections; retrieve Windows credentials; and lift stored passwords from Outlook, web browsers and so on.

The campaign is limited for now, according to ESET telemetry, which may indicate that the recipients are carefully chosen rather than on the receiving end of a mass-mailing spam effort. However, it’s unlikely to be the only use of the zero-day by threat groups.

“The disclosure of vulnerabilities outside of a coordinated disclosure process generally puts many users at risk,” ESET researchers noted in their analysis posted on Wednesday. “This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available.”

Users should be on high alert: CERT-CC has confirmed that all supported Windows versions are vulnerable.

“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost last week. “Our standard policy is to provide solutions via our current Update Tuesday schedule.”

While Microsoft has yet to roll out a patch (one could be upcoming in September’s Patch Tuesday), a third-party “micropatch” is available from 0Patch for 64-bit versions of Windows 7, Windows 10, Windows Server 2008 and Windows Server 2016. There are also mitigations (not yet acknowledged by Microsoft) listed on the CERT-CC site.


Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.