On August 27, 2018, a zero-day vulnerability information was published on Twitter by an information security specialist with the nickname SandboxEscaper. Vulnerability affects versions of Microsoft Windows 7 through 10, more precisely, the Advanced Local Procedure Call (ALPC) interface in Windows Task Scheduler. It provides local privilege escalation (Local Privilege Escalation), which allows an attacker to elevate the rights of malicious code from the User level to SYSTEM. We are not talking about coordinated disclosure of the vulnerability - the SandboxEscaper account was soon removed, the closing patches were missing.
The link from tweet led to
the GitHub repository with the Proof-of-Concept exploit code - not only the compiled version, but also the source code. Consequently, anyone could modify and recompile the exploit to improve it, avoid detection, or include it in its own code.
In general, it is not surprising that in just two days the exploit appeared in the wild in the PowerPool cyber campaign. According to telemetry data from ESET, Russia, Ukraine, Poland, Germany, the United Kingdom, the United States, India, the Philippines, and Chile are among the target attacking countries. There are relatively few casualties, which may indicate a highly targeted campaign.
')
PowerPool Toolkit
ESET fixed a new group relatively recently, however, a rather wide range of tools was available to PowerPool hackers. Next, a brief look at some of them.
Exploit local privilege escalation in ALPC
The developers of PowerPool did not use the binary file published by SandboxEscaper, they changed the source code somewhat and recompiled it. The exploit has also been noted
by security researchers and
CERT groups.
Figure 1. Copyright description of the exploit
The flaw is in the
SchRpcSetSecurity
API
SchRpcSetSecurity
, which does not correctly check user rights. Thus, the user can write any file to
C:\Windows\Task
, regardless of the actual permissions - if you have read permission, it is possible to replace the contents of the write-protected file.
Any user can write files to
C:\Windows\Task
, so in this folder you can create a file that is a hard link to any
target file. Then, by calling the
SchRpcSetSecurity
function, you can access write access to this target file. In order to provide local privilege escalation, an attacker needs to select the target file to be overwritten - it is important that this file be executed automatically with administrator rights. Alternatively, it can be a system file or a utility for updating previously installed software that runs regularly. The final step is to replace the contents of the target file with malicious code. Thus, during the next automatic execution, the malware will have administrator rights regardless of the initial rights.
The developers of PowerPool decided to change the contents of the file
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
. It is a legitimate updater for Google applications, it is regularly executed with administrator rights through the Microsoft Windows task.
Figure 2. Creating a hard link to Google Updater
Figure 3. Using SchRpcCreateFolder to change the permissions of the Google Updater executable
The sequence of operations in the figure above allows PowerPool operators to obtain write access to the executable file
GoogleUpdate.exe
. Then they overwrite it, replacing it with a copy of their second-level malware (described below) to gain administrator rights the next time the updater is called.
Initial compromise
The PowerPool group uses different methods for the initial compromise of the victim. One of them is a spam mailing with malware of the first stage in the attachment. It is early to draw conclusions, but so far we have seen very few samples in the telemetry data, so we assume that the recipients are carefully selected and we are not talking about mass mailing.
On the other hand, we know that in the past, PowerPool has already practiced spamming. According
to a SANS blog post published in May 2018, they used a Symbolic Link file scheme (.slk) for distributing malware. Microsoft Excel can download these files that update the cell and force Excel to execute PowerShell code. It seems that these .slk files are also distributed in spam messages. Based on the first file mentioned in the SANS post (SHA-1: b2dc703d3af1d015f4d53b6dbbeb624f5ade5553), you can find on VirusTotal a corresponding sample of spam (SHA-1: e0882e234cba94b5cf3df2c05949e2e228bedd222d22222d22d22d2b2d2b2d5b2d5e5e4e4e4e5e2e2e2d2d2d2b2d2b2db2dbcb4d5b5d5b5dbf.
Figure 4. Spam PowerPool
Windows backdoors
The PowerPool group usually works with two backdoors: the backdoor of the first stage is used after the initial compromise, the backdoor of the second stage is implemented only on the machines of interest.
First stage backdoor
This is the basic malware that is used for intelligence. It consists of two executable Windows files.
The first is the main backdoor, which provides persistence through the service. It also creates a mutex called
MyDemonMutex%d
, where
%d
is in the range from 0 to 10. The backdoor collects information about the proxy, the C & C server address is hard-coded in the binary file. Malware can execute commands and perform basic intelligence in the system, transferring data to a C & C server.
Figure 5. Collect proxy information
The second of the executable files has one purpose. He takes a screenshot and writes it to the file
MyScreen.jpg
, which can then be exfiltered by the main backdoor.
Second stage backdoor
Malware is loaded during the first stage, presumably in the event that the machine seems interesting to the operators. However, the program does not look like a modern art backdoor.
The address of the C & C server is hard-coded in binary format; there is no mechanism for updating this important configuration item. The backdoor searches for commands from
http://[C&C domain]/cmdpool
and downloads additional files from
http://[C&C domain]/upload
. Additional files are primarily horizontal tools mentioned below.
Supported commands:
- execute the command
- complete the process
- send file
- Download file
- view the contents of the folder
Commands are sent in JSON format. The examples below are requests to execute commands and list folders:
Figure 6. Backdoor command examples
Tools for horizontal movement
By providing continuous access to the system using the backdoor of the second stage, PowerPool operators use several open source tools, written primarily in PowerShell, for horizontal movement in the network.
-
PowerDump : a Metasploit module that can retrieve user names and hashes from the Security Account Manager.
-
PowerSploit : a collection of PowerShell modules, a la Metasploit.
-
SMBExec : PowerShell tool for performing pass-the-hash attacks using the SMB protocol.
-
Quarks PwDump : Windows executable file that can retrieve credentials.
-
FireMaster : Windows executable file that can extract saved passwords from Outlook, web browsers, etc.
Conclusion
Vulnerability disclosures before updates are put at risk for users. In this case, even the latest version of Windows may be compromised.
CERT-CC offers a temporary solution to the problem, which, however, was not officially agreed by Microsoft.
The PowerPool attack targets a limited number of users. Nevertheless, the incident shows that attackers are always up to date and promptly implement new exploits.
ESET experts continue to monitor the exploitation of a new vulnerability. Compromise indicators are also available
on GitHub .
Indicators of compromise
Hashes
The backdoor of the first stage (Win32 / Agent.SZS) 038f75dcf1e5277565c68d57fa1f4f7b3005f3f3
The backdoor of the first stage (Win32 / Agent.TCH) 247b542af23ad9c63697428c7b77348681aadc9a
Second stage backdoor (Win32 / Agent.TIA) 0423672fe9201c325e33f296595fb70dcd81bcd9
The second stage backdoor (Win32 / Agent.TIA) b4ec4837d07ff64e34947296e73732171d1c1586
ALPC LPE Exploit (Win64 / Exploit.Agent.H) 9dc173d4d4f74765b5fc1e1c9a2d188d5387beea
Detection by ESET products
- Win32 / Agent.SZS
- Win32 / Agent.TCH
- Win32 / Agent.TEL
- Win32 / Agent.THT
- Win32 / Agent.TDK
- Win32 / Agent.TIA
- Win32 / Agent.TID
C & C servers
- newsrental [.] Net
- rosbusiness [.] Eu
- afishaonline [.] Eu
- sports-collectors [.] Com
- 27.102.106 [.] 149