Cyber Threat

PuzzleMaker attacks with Chrome zero-day exploit chain

ArrowArrow

June 9, 2021

All of the observed attacks were conducted through Chrome browser.
Unfortunately, Kaspersky were unable to retrieve the JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one particular vulnerability.

On April 6-8, 2021 the Pwn2Own competition took place.
This is a computer hacking contest where the Google Chrome web browser was one of the targets.
According to the ZDI (Zero Day Initiative, the organizer of Pwn2Own) website, one participating team was able to demonstrate a successful exploitation of the Chrome renderer process using a Typer Mismatch bug.

On April 12, 2021, the developers of Chromium committed two (issue 1196683, issue 1195777) Typer-related bug fixes to the open-source repository of V8 – a JavaScript engine used by Chrome and Chromium web browsers.
One of these bug fixes (issue 1196683) was intended to patch a vulnerability that was used during Pwn2Own, and both bug fixes were committed together with regression tests – JavaScript files to trigger these vulnerabilities.
Later on the same day, a user with the Twitter handle @r4j0x00 published a working remote code execution exploit on GitHub, targeting an up-to-date version of Google Chrome.
That exploit used a vulnerability from issue 1196683 to execute a shellcode in the context of the browser renderer process.

The published exploit didn’t contain a sandbox escape exploit and was therefore intended to work only when the browser was launched with the command line option -no-sandbox.

On April 13, 2021, Google released Chrome update 89.0.4389.128 for Windows, Mac and Linux with a fix for two vulnerabilities; CVE-2021-21220 (used during Pwn2Own) was one of them.

Some of our customers who were attacked on April 14-15, 2021, already had their Chrome browser updated to 89.0.4389.128, and that’s why we think the attackers didn’t use CVE-2021-21220 in their attacks.

On April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37 vulnerabilities.
On the same day, a new Chrome exploit was presented to the public.

This newly published exploit used a vulnerability from issue 1195777, worked on the newly released Chrome 90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021.

Kaspersky suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or acquire it from someone else) and were probably using CVE-2021-21224 in their attacks.

CVE-2021-31955 is an information disclosure vulnerability in ntoskrnl.exe.
The vulnerability is affiliated with a Windows OS feature called SuperFetch.
It was introduced in Windows Vista and is aimed to reduce software loading times by pre-loading commonly used applications into memory.
For SuperFetch purposes the function NtQuerySystemInformation implements a special system information class SystemSuperfetchInformation.
This system information class incorporates more than a dozen of different SuperFetch information classes.
The vulnerability lies in the fact that data returned by the NtQuerySystemInformation function for the SuperFetch information class SuperfetchPrivSourceQuery contains EPROCESS kernel addresses for currently executed processes.

It’s noteworthy that this vulnerability can be observed in code that was available on GitHub for a few years before we caught it in the wild and Microsoft patched it.

CVE-2021-31955 can be observed in the source code of the MemInfo utility

The other vulnerability, CVE-2021-31956, is a heap-based buffer overflow in ntfs.sys.
The function NtfsQueryEaUserEaList processes a list of extended attributes for the file and stores the retrieved values to buffer.
This function is accessible via ntoskrnl syscall and among other things it’s possible to control the size of the output buffer.
If the size of the extended attribute is not aligned, the function will calculate a padding and the next extended attribute will be stored 32-bit aligned.
The code checks if the output buffer is long enough to fit the extended attribute with padding, but it doesn’t check for possible integer-underflow.
As a result, a heap-based buffer overflow can happen.

The exploit uses CVE-2021-31956 along with Windows Notification Facility (WNF) to create arbitrary memory read and write primitives.

As the exploit uses CVE-2021-31955 to get the kernel address of the EPROCESS structure, it is able to use the common post exploitation technique to steal SYSTEM token.
However, the exploit uses a rarely used “PreviousMode” technique instead.
We have seen this technique used by the CHAINSHOT framework and even made a presentation about it at CanSecWest/BlueHat in 2019.
The exploit uses this technique to inject a malware module into the system process and execute it.

Besides the aforementioned exploits, the full attack chain consists of four additional malware modules, which will be referred to as:
Stager
Dropper
Service
Remote shell


Sign Up For The Threat Alerts

Receive a daily email with important information and simple remediation tips.

Loading...

More Threats

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

Jun 10, 2021

Researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT ...

PuzzleMaker attacks with Chrome zero-day exploit chain

Jun 09, 2021

Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windo...

PuzzleMaker attacks with Chrome zero-day exploit chain

Jun 09, 2021

Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windo...

Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

OSX/Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

OSX/Hydromac

Jun 08, 2021

The chain of different stages has become very complex nowadays and the analysis phase takes more time, due to the 'malware authors' understanding of how reverse engineering is being done, but also ...

SharpPanda: Chinese APT Group Targets Southeast Asian Government

Jun 07, 2021

Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office ...

Necro Python bot adds new exploits and Tezos mining to its bag of tricks

Jun 06, 2021

Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition ...

Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat

Jun 03, 2021

There is a honeypot that mimics a misconfigured Docker daemon and explore the data obtained between March and April 2021, including 33 different kinds of attacks with a total of 850 attacks. More...

US seizes domains used by APT29 in recent USAID phishing attacks

Jun 02, 2021

The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain acces...

APT Actors Exploiting Fresh Fortinet Vulnerabilities

Jun 01, 2021

The FBI published information about the continuous exploitation of Fortinet FortiOS vulnerabilities in attacks targeting commercial, government, and technology services networks. In early April,...

A new ransomware enters the fray-Epsilon Red

May 31, 2021

In the past week, analysts uncovered a new ransomware written in the Go programming language that calls itself Epsilon Red. The malware was delivered as the final executable payload in a hand-con...

New sophisticated email-based attack from NOBELIUM

May 30, 2021

A wide-scale malicious email campaign operated by NOBELIUM, was uncovered. NOBELIUM-the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware,...

TeamTNT targets Kubernetes, nearly 50.000 IPs Compromised in Worm-like Attack

May 27, 2021

Kubernetes is the most widely adopted container orchestration platform for automating the deployment, scaling, and management of containerized applications. Unfortunately, like any widely used ap...

Apostle Wiper to ransomware – striking targets in Israel

May 26, 2021

Dubbed Apostle, never-before-seen wiper masquerades as ransomware. Researchers say they have uncovered never-before-seen disk-wiping malware that is disguising itself as ransomware as it unleash...

MountLocker ransomware uses Windows API to worm through networks

May 25, 2021

The MountLocker ransomware operation now uses enterprise Windows Active Directory APIs to worm through networks. MountLocker started operating in July 2020 as a Ransomware-as-a-Service (RaaS) wh...

BazarCall Method: Call Centers Help Spread BazarLoader Malware

May 24, 2021

BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host. After a client is infected, criminals use this backdoor access to send follo...

Threat Actors Use MSBuild to Deliver RATs Filelessly

May 23, 2021

A campaign was discovered, in which threat actors used Microsoft Build Engine (MSBuild) to filelessly deliver Remcos remote access tool (RAT) and password-stealing malware commonly known as RedLine...

AHK RAT loader in unique delivery campaigns

May 20, 2021

There is a unique and ongoing RAT delivery campaign that started in February of this year. This campaign is unique in that it heavily uses the AutoHotKey scripting language-a fork of the AutoIt l...

Snip3 – A Highly Evasive RAT Loader

May 19, 2021

Morphisec has recently monitored a highly sophisticated Crypter-as-a-Service that delivers numerous RAT families onto target machines. The Crypter is most commonly delivered through phishing ema...

Bizarro banking Trojan expands its attacks to Europe

May 18, 2021

Bizarro is yet another banking Trojan family originating from Brazil that is now found in other regions of the world. Users are being targeted in Spain, Portugal, France and Italy. Attempts hav...

Transparent Tribe APT expands its Windows malware arsenal

May 16, 2021

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco T...

Lemon Duck spreads its wings-Actors target Microsoft Exchange servers and incorporate new TTPs

May 13, 2021

Since April 2021, researchers have observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers an...

The Linux side of Darkside

May 12, 2021

A new sample of Darkside was found, this time it is a linux variant. Darkside develops their ransomwares to support both Windows and Linux regularly. It is unknown if this variant was the one t...

Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party

May 11, 2021

The emergence of several zero-day exploits relating to ProxyLogon, a Microsoft Exchange Server vulnerability that was discovered in late 2020, has allowed several threat actors to carry out attacks...

Cybergang US Pipeline attack identified as DarkSide

May 10, 2021

DarkSide is among ransomware gangs that have "professionalized" a criminal industry that has cost Western nations billions of dollars in losses. The cyberextortion attempt that has forced the sh...

The UNC2529 Triple Double-A Trifecta Phishing Campaign

May 09, 2021

Trifecta Phishing campaign started with 28 organizations that phishing emails were sent to, though targeting was likely broader than directly observed. These emails were sent using 26 unique ema...

Codecov starts notifying customers affected by supply-chain attack

May 06, 2021

As of a few hours ago, Codecov has started notifying the maintainers of software repositories affected by the recent supply-chain attack. These notifications, delivered via both email and the Code...

PortDoor New Chinese APT Backdoor

May 05, 2021

The Cybereason Nocturnus Team has been tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of t...

New Variant of Buer Loader Written in Rust

May 04, 2021

Proofpoint researchers identified a new variant of the Buer malware loader distributed via emails masquerading as shipping notices in early April. Buer is a downloader sold on underground marketpl...

UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat

May 03, 2021

An aggressive financially motivated group, UNC2447, exploiting one SonicWall VPN zero-day vulnerability prior to a patch being available and deploying sophisticated malware previously reported by o...

N3tw0rm ransomware attack against organizations in Israel

May 02, 2021

The malicious actors behind it may be connected to previous campaigns of Pay2Key. This is a wave of ransomware attacks from a specfic group, identified as N3tw0rm. They use "commercial identity...

Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability

Apr 29, 2021

In January, appeared a new ransomware using .hello as its extension in one of our cases that possibly arrived via a SharePoint server vulnerability. This appeared to be a new ransomware family du...

Phorpiex a multi purpose malware

Apr 28, 2021

Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware to sending spam emails, to ransomware and c...

Shlayer malware abusing Gatekeeper bypass on macOS

Apr 27, 2021

Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is dist...

Emotet malware nukes itself today from all infected computers worldwide

Apr 26, 2021

Emotet, one of the most dangerous email spam botnets in recent history, is being uninstalled from all infected devices with the help of a malware module delivered in January by law enforcement. ...

New cryptomining malware builds an army of Windows, Linux bots

Apr 25, 2021

A recently discovered cryptomining botnet is actively scanning for vulnerable Windows and Linux enterprise servers and infecting them with Monero (XMRig) miner and self-spreader malware payloads. ...

HabitsRAT Used to Target Linux and Windows Servers

Apr 22, 2021

A new malware written in Go, which is called HabitsRAT, targeting both Windows and Linux machines, was discovered recently. The Windows version of the malware was first reported on in attacks aga...

Lazarus APT Hackers are now using BMP images to hide RAT malware

Apr 21, 2021

Spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote acce...

Malware That Spreads Via Xcode Projects Now Targeting Apple M1-based Macs

Apr 20, 2021

Mac malware campaign targeting Xcode developers has been retooled to add support for Apple's new M1 chips and expand its features to steal confidential information from cryptocurrency apps. XCSS...

New FormBook Variant Delivered in Phishing Campaign

Apr 18, 2021

Researches have recently captured a phishing campaign that was sending a Microsoft PowerPoint document as an email attachment to spread the new variant of the FormBook malware. FormBook is a well...

Iran’s APT34 Returns with an Updated Arsenal

Apr 13, 2021

Check Point Research discovered evidence of a new campaign by the Iranian threat group APT34 (aka OilRig), against what appears to be a Lebanese target, employing a new backdoor variant that was du...

Saint Bot downloader

Apr 12, 2021

In late March 2021, Malwarebytes analysts discovered a phishing email with an attached zip file containing unfamiliar malware. Contained within the zip file was a PowerShell script masquerading as...

Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware

Apr 11, 2021

It was found a sample that we identified as one belonging to the SysUpdate malware family, also named Soldier, FOCUSFJORD, and HyperSSL. SysUpdate was first described by the NCC Group in 2018. ...

The leap of a Cycldek-related threat actor

Apr 08, 2021

In the nebula of Chinese-speaking threat actors, it is quite common to see tools and methodologies being shared. One such example of this is the infamous "DLL side-loading triad": a legitimate exe...

SynAck Ransomware Leverages Process Doppelganging for Evasion and Infection

Apr 06, 2021

SynAck ransomware family is the first to use Process Doppelganging to bypass known security solutions. While SynAck was discovered in September 2017 and Process Doppelganging presented in Decembe...

Phishing Trends With PDF Files

Apr 06, 2021

Palo Alto Networks noticed a dramatic 1,160% increase in malicious PDF files - from 411,800 malicious files to 5,224,056. PDF files are an enticing phishing vector as they are cross-platform and a...

Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool

Apr 05, 2021

Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Hancitor remains a threat and has evolved to use tools like Cobalt Str...

Malware hidden in game cheats and mods used to target gamers

Apr 04, 2021

Threat actors target gamers with backdoored game tweaks, patches, and cheats hiding malware capable of stealing information from infected systems. The attackers mostly use social media channels ...

BazarCall malware uses malicious call centers to infect victims

Apr 01, 2021

The new malware was discovered being distributed by call centers in late January and is named BazarCall. Like many malware campaigns, BazarCall starts with a phishing email but from there deviates...

Anchor DNS strikes again

Mar 31, 2021

The AnchorDNS malware performs C2 over DNS to two specific domains The malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due to...

New Pay2Decrypt variant

Mar 30, 2021

New Pay2Decrypt variant that appends the .aes and .lck extension, encrypts target files with AES+RSA and demands a ransom of 0.0002 BTC. Originally written on AutoIt.

FatFace hit by Conti ransomware

Mar 29, 2021

British clothing brand FatFace has sent a controversial 'confidential' data breach notification to customers after suffering a ransomware attack. Customers began receiving data breach notificati...

CopperStealer Performs Widespread Theft

Mar 25, 2021

Investigation uncovered an actively developed password and cookie stealer with a downloader function, capable of delivering additional malware after performing stealer activity. The earliest dis...

Black Kingdom ransomware Targets MS Exchange servers

Mar 24, 2021

Another ransomware operation known as 'Black Kingdom' is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. Over the weekend, security researcher Marcus Hutc...

Acer hit by 50 million dollar REvil ransomware

Mar 22, 2021

Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000. Acer is a Taiwanese electronics and computer ma...

New macOS malware Targets Xcode Developers

Mar 21, 2021

Threat actors are abusing the Run Script feature in Apple's Xcode IDE to infect unsuspecting Apple Developers via shared Xcode Projects. XcodeSpy is a malicious Xcode project that installs a custo...

NimzaLoader is a New Initial Access Malware

Mar 18, 2021

The TA800 threat actor has predominantly used BazaLoader since April of 2020, but on February 3rd, 2021 they distributed a new malware named NimzaLoader. One of NimzaLoader's distinguishing featu...

Pysa ransomware attacks on education organizations

Mar 17, 2021

The Federal Bureau of Investigation (FBI) Cyber Division has warned system administrators and cybersecurity professionals of increased Pysa ransomware activity targeting educational institutions.

Dharma ransomware keeps on being spread

Mar 15, 2021

Researchers keep noticing more and more new Dharma variants.