Bad actors used a Windows zero-day in financial attacks

In March 2016 experts from FireEye spotted a malicious campaign conducted by a financially motivated threat actor that leveraged on a zero-day exploit.

According to security experts at FireEye, a sophisticated criminal organization targeted more than 100 organizations in North America. Most of the victims are in the retail, hospitality and restaurant sectors. Threat actor leverages windows zero-day exploit in payment card data attacks.

The attackers relied on a zero-day privilege escalation vulnerability affecting Windows systems, hackers used spear-phishing emails and malicious macro-enabled Word documents to deliver the threat PUNCHBUGGY.

PUNCHBUGGY is a DLL downloader that used to compromise the target and move laterally within the victim’s network. The criminal crew also used a new point-of-sale (PoS) malware dubbed “PUNCHTRACK.” The malware is a memory scraper that is able to capture both Track 1 and Track 2 payment card data.

“FireEye identified more than 100 organizations in North America that fell victim to this campaign. FireEye investigated a number of these breaches and observed that the threat actor had access to relatively sophisticated tools including a previously unknown elevation of privilege (EoP) exploit and a previously unnamed point of sale (POS) memory scraping tool that we refer to as PUNCHTRACK. ” states FireEye. “Designed to scrape both Track 1 and Track 2 payment card data, PUNCHTRACK is loaded and executed by a highly obfuscated launcher and is never saved to disk.”

As reported by FireEye, in some of the attacks the criminal organization exploited a local privilege escalation vulnerability in Windows (CVE-2016-0167). The CVE-2016-0167 flaw was exploited by hackers to run malicious code with SYSTEM privileges.

The flaw was unknown at the time of the attacks, experts at FireEye worked with Microsoft to fix the issue on April 12, 2016. Patch Tuesday (MS16-039).

FireEye confirmed that the flaw was exploited in limited, targeted attacks dating back to March 8.

“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of a [privilege escalation] exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication,” continues FireEye in the post.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Windows zero-day, PoS)