Microsoft Windows OS from Windows 7 to Windows 10 and Windows Server 2016 systems have been affected by this Local Privilege Escalation flow in Advanced Local Procedure Call (ALPC) function.
Proof-of-Concept code for this exploit has been released in the GitHub repository which can modify and recompile by anyone in order to improve the attack vector as adding the evade detection techniques.
Now, an unknown cybercrime group named as PowerPool started using this exploit as a malicious campaign to attack the vulnerable victims across many countries including Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.
Attackers modified the Source code
Malware authors from PowerPool modified the source code slightly and recompiled it and they did not reuse the binary that was provided by the original exploit author.
A Serious flow discovered in the SchRpcSetSecurity API function allow user can have write permissions on any file in C:WindowsTask regardless of its actual permissions because API function doesn’t check the user’s permissions correctly.
This flaw allows a user who is having read one permission can able to write in C:WindowsTask and it is possible to create a file in this folder that is a hard link to any target file.
Exploit Original Author Description
Later we can gain write access to that target file by calling the broken function SchRpcSetSecurity.
In this case, PowerPool ’s malware author chose to change the content of the file C:Program Files (x86)GoogleUpdateGoogleUpdate.exe which is one of the legitimate Google updaters.
Here an attacker abuse of SchRpcCreateFolder to change the permissions of the Google Updater executable.
Above PowerPool operators allows gaining write access to the executable GoogleUpdate.exe.
Initial Stage of Attack
The initial stage of attack started with a spam email with an attached malicious file which is first stage of attack with PowerShell code.
“Also PowerPool group mainly uses two different backdoors: a first-stage backdoor used just after the first compromise and then a second-stage backdoor, probably on the most interesting machines.”
According to ESET research, This is basic malware used for reconnaissance on the machine. It comprises two Windows executables and the Second-stage backdoor is downloaded via the first stage, presumably when the operators believe the machine is interesting enough for them to stay on it for a longer time.
Once the attacker successfully gains access to a machine with the second-stage backdoor they will start using the several open-source tools to perform further attacks.
Indicators of compromise
|038f75dcf1e5277565c68d57fa1f4f7b3005f3f3||First stage backdoor||Win32/Agent.SZS|
|247b542af23ad9c63697428c7b77348681aadc9a||First stage backdoor||Win32/Agent.TCH|
|0423672fe9201c325e33f296595fb70dcd81bcd9||Second stage backdoor||Win32/Agent.TIA|
|b4ec4837d07ff64e34947296e73732171d1c1586||Second stage backdoor||Win32/Agent.TIA|
|9dc173d4d4f74765b5fc1e1c9a2d188d5387beea||ALPC LPE exploit||Win64/Exploit.Agent.H|