Recently uncovered PowerPool Group used recent Windows Zero-Day exploit

Pierluigi Paganini September 06, 2018

Security experts from ESET observed a treat actor, tracked as PowerPool, exploiting the recently disclosed Windows zero-day flaw in targeted attacks.

The vulnerability was publicly disclosed on August 27 by the security expert “@SandboxEscaper,” the researcher also published the exploit code for the vulnerability.

The vulnerability affects Microsoft’s Windows operating systems that could be exploited by a local attacker or malicious program to obtain system privileges on the vulnerable system.

The vulnerability resides in the Windows’ task scheduler program and ties to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

Microsoft was expected to address the vulnerability in September security Patch Tuesday, that is scheduled for September 11, but the news of live attacks exploiting the issue could force the company to roll out a patch sooner.

Security community 0patch has also released an unofficial patch for the vulnerability.

Now security researchers from ESET reported the local privilege escalation vulnerability has been exploited by a previously unknown group tracked as PowerPool.

“As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool.“reads the analysis published by ESET.

“This group has a small number of victims and according to both our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the targeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine.”

The threat actor leveraged the Windows zero-day exploit in targeted attacks against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines, and Poland.

According to ESET, attackers have modified the publicly available exploit source code and recompiled it.

To obtain a Local Privilege Escalation, the attacker needs to properly choose the target file that will be overwritten. The target file, in fact, has to be a file that is executed automatically with administrative rights.

“PowerPool’s developers chose to change the content of the file C:\Program Files (x86)\Google\Update\GoogleUpdate.exe. This is the legitimate updater for Google applications and is regularly run under administrative privileges by a Microsoft Windows task.” continues the analysis.

PowerPool’s attack vector is spear-phishing messages, ESET researchers pointed out that the same group was also responsible for a spam campaign spotted by SANS in May that used Symbolic Link (.slk) files to spread malicious codes.

PowerPool group

The group used a multi-stage malware, the first stage is a backdoor used for a reconnaissance activity. It determines if the infected machine is interesting for the attackers, in this case, the malicious code downloads a second stage backdoor that supports various commands such as uploading and downloading files, killing processes, and listing folders.

The analysis of the second-stage backdoor allowed the researchers to determine that the malicious code is not “a state-of-the-art APT backdoor.”

“Once the PowerPool operators have persistent access to a machine with the second-stage backdoor, they use several open-source tools, mostly written in PowerShell, to move laterally on the network.” continues the report.

The tools used by the attackers include PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.

Further details, including the IoCs are reported in the analysis published by ESET.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  hacking, PowerPool group)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment