PowerPool malware exploits zero-day vulnerability

16:14 - 11.09.2018


September 11, Fineko/abc.az. ESET warns of targeted attacks using a new, not yet closed by the manufacturer vulnerabilities in Microsoft Windows.

According to telemetry data, the attacks target users in Russia, Ukraine, Poland, Germany, the UK, the USA, India, Chile and the Philippines.

The vulnerability is Local Privilege Escalation (LPE) that will allow to execute malicious code with maximum rights. The bug is related to work of Windows Task Scheduler and affects versions of Microsoft Windows operating system from 7 to 10.

Information about the zero-day vulnerability was disclosed on August 27, 2018. There were no security updates available at the time of publication.

Just two days after the publication, the ESET experts discovered that the exploit to the new vulnerability is used in targeted attacks by the PowerPool cyber group. Hackers slightly changed the exploit code published on GitHub and recompiled it.

The attack starts with sending malicious spam emails with the first stage backdoor. The malware is designed for basic intelligence in the system – it executes the commands of the attackers and transmits the collected data to a remote server.

If the computer interests hackers, it will be installed a backdoor of the second stage, providing permanent access to the system. Next, the PowerPool operators exploit the zero-day vulnerability for privilege escalation. To move within a compromised network, attackers use open source tools: PowerDump, PowerSploit, SMBExec, Quarks PwDump, FireMaster.

PowerPool attacks target a limited number of users. Nevertheless, the incident shows that attackers monitor trends and quickly inroduce new exploits. Disclosure of information about vulnerabilities before the release of security updates might be the cause of mass cyber attacks.

 

Bütün xəbərlər