Image: Ryoji Iwata
Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.
According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims’ networks were compromised.
Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.
Malware deployed with system privileges
The attackers abused the Windows Notification Facility (WNF) together with the CVE-2021-31956 vulnerability to execute malware modules with system privileges on compromised Windows 10 systems.
“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.
“This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS.
“The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.”
Chrome and Windows zero-days galore
This is not the first Chrome zero-day exploit chain used in the wild in recent months.
Project Zero, Google’s zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.
The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.
Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:
- renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
- two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
- a “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android
- one full exploit chain targeting fully patched Windows 10 using Google Chrome
- two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
- several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)
“Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,” added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).
“It’s a reminder that zero days continue to be the most effective method for infecting targets.”
Indicators of compromise (IOCs) including malware sample hashes can be found at the end of Kaspersky’s report.