Cybergroup PowerPool has mastered zero-day vulnerability in Advanced Local Procedure Call
On August 2? 201? an information specialist on the zero-day vulnerability was posted on Twitter with a Twitter specialist named SandboxEscaper. The vulnerability affects versions of Microsoft Windows 7 to 1? more precisely, the Advanced Local Procedure Call (ALPC) interface in the Windows Task Scheduler. It provides local Privilege Escalation, which allows the attacker to increase the rights of malicious code from the User level to the SYSTEM level. There is no coordinated disclosure of the vulnerability - the SandboxEscaper account was soon deleted, there were no closing patches.
The link from the tweet led to repository GitHub with Proof-of-Concept exploit code - not only compiled version, but also source code. Therefore, anyone could modify and recompile the exploit to improve it, avoid detection, or include in its own code.
In general, it is not surprising that just two days later the exploit appeared in the wild in the Cybergroup PowerPool campaign. According to ESET telemetry, Russia, Ukraine, Poland, Germany, Great Britain, USA, India, the Philippines, Chile are among the target countries of attack. Victims are relatively few, which may indicate a high targeting of the campaign.
security researchers and in groups CERT .
Figure 1. Author's description of the exploit
The break is in the API function
SchRpcSetSecurity, which does not check the user right. Thus, the user can write any file in
C: WindowsTask, regardless of the actual permissions - if you have read permission, you can replace the contents of a write-protected file.
Any user can write files to
C: WindowsTask, so in this folder you can create a file that is a hard link to any target file. Then, calling the function
SchRpcSetSecurity, you can access the write of this target file. To ensure local privilege elevation, the attacker needs to select the target file that will be overwritten - it is important that this file is run automatically with administrator rights. Alternatively, it can be a system file or utility for updating previously installed software that runs regularly. The last step is to replace the contents of the target file with malicious code. Thus, the next automatic execution of the malware will have administrator rights regardless of the original rights.
Developers PowerPool decided to change the contents of the file
C: Program Files (x86) GoogleUpdateGoogleUpdate.exe. It is a legitimate appware update for Google applications, it is regularly run with administrator rights through a Microsoft Windows task.
Figure 2. Creating a hard link to Google Updater
Figure 3. Using SchRpcCreateFolder to change the permissions of the Google Updater executable.
The sequence of operations in the figure above allows PowerPool operators to obtain the rights to write the executable file
GoogleUpdate.exe. Then they overwrite it, replacing a copy of their second-stage malware (described below) to obtain administrator rights on the next call of the updater.
The initial compromise is
The PowerPool team uses different methods for the initial compromise of the victim. One of them is spam-mailing with malware of the first stage in the attachment. It's too early to draw conclusions, but so far we have seen very few samples in telemetry data, so we assume that recipients are carefully selected and mass mailings are not being discussed.
On the other hand, we know that in the past PowerPool already practiced spam mailing. According to post in the blog SANS , published in May 201? they used a scheme with Symbolic Link (.slk) files to distribute malware. Microsoft Excel can download these files that update the cell, and get Excel to execute the PowerShell code. It seems that these .slk-files also spread in spam messages. On the basis of the first file mentioned in the post SANS (SHA-1: b2dc703d3af1d015f4d53b6dbbeb624f5ade5553), you can find the corresponding spam sample (SHA-1: e0882e234cba94b5cf3df2c05949e2e228bedd2b) on VirusTotal:
Figure 4. Spam PowerPool
The PowerPool group usually works with two backdoors: the backdoor of the first stage is used after the initial compromise, the backdoor of the second stage is implemented only on the machines of interest.
Backdoor of the first stage
This is the basic malware that is used for reconnaissance. It consists of two Windows executables.
The first of these is the main backdoor that provides persistence through service. It also creates a mutex called
MyDemonMutex% d, where
% dis in the range from 0 to 10. The backdoor collects information about the proxy, the server's C & C address is hard-coded in a binary file. Malware can execute commands and perform basic reconnaissance in the system, transferring data to the C & C server.
Figure 5. Collecting information about the proxy
The second of the executable files has one assignment. It takes a screenshot and writes it to a
file. MyScreen.jpg, which can then be ejected by the main backdoor.
The backdoor of the second stage is
Malware is loaded during the first stage, presumably in the event that the car seems interesting to the operators. Nevertheless, the program is not similar to the modern ART backdoor.
The server's C & C address is hard-coded in binary format, there is no mechanism for updating this important configuration item. The backdoor is looking for commands from
http: //[C&C domain]/cmdpooland loads additional files with
http: //[C&C domain]/upload. The additional files are predominantly horizontal translation tools, mentioned below.
- execute the command
- Terminate the process
- send the file
Download the file
- View the contents of the folder
Commands are sent in JSON format. The examples below are requests for executing commands and enumerating the folders:
Figure 6. Examples of backdoor commands
Tools for horizontal movement
By providing constant access to the system with the backdoor of the second stage, PowerPool operators use several open source tools, written primarily on PowerShell, for horizontal navigation on the network.
- PowerDump : The Metasploit module, which can extract user names and hashes from the Security Account Manager.
- PowerSploit : a collection of PowerShell modules, a-la Metasploit.
- SMBExec : The PowerShell tool for performing pass-the-hash attacks using the SMB protocol.
- Quarks PwDump : A Windows executable that can retrieve credentials.
- FireMaster : a Windows executable that can extract saved passwords from Outlook, web browsers, etc.
The disclosure of vulnerabilities before the release of updates poses a threat to users. In this case, even the latest version of Windows can be compromised. CERT-CC offers a temporary solution to the problem, which, however, has not been formally agreed upon by Microsoft.
Attack PowerPool is aimed at a limited number of users. Nevertheless, the incident shows that attackers are always aware of the events and quickly implement new exploits.
ESET specialists continue to monitor the exploitation of the new vulnerability. Indicators of compromise are also available on GitHub .
Indicators of compromise
Backdoor of the first stage (Win32 /Agent.SZS) 038f75dcf1e5277565c68d57fa1f4f7b3005f3f3
Backdoor of the first stage (Win32 /Agent.TCH) 247b542af23ad9c63697428c7b77348681aadc9a
Backdoor of the second stage (Win32 /Agent.TIA) 0423672fe9201c325e33f296595fb70dcd81bcd9
Backdoor of the second stage (Win32 /Agent.TIA) b4ec4837d07ff64e34947296e73732171d1c1586
LPE exploit ALPC (Win64 /Exploit.Agent.H) 9dc173d4d4f74765b5fc1e1c9a2d188d5387beea
Detection by products ESET
- Win32 /Agent.SZS
- Win32 /Agent.TCH
- Win32 /Agent.TEL
- Win32 /Agent.THT
- Win32 /Agent.TDK
- Win32 /Agent.TIA
- Win32 /Agent.TID
C & C servers
It may be interesting
Situs QQ Online
Situs QQ Online