Malware writers exploit recent Windows Task Scheduler 0-day vulnerability
The exploit was partly facilitated by the fact that the source code for a proof-of-concept exploit for the ALPC LPE vulnerability -- as well as a binary -- was published on GitHub. Now a group that has been named PowerPool has been spotted using the code in a malware campaign.
The security firm ESET noticed the campaign and says: "As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool. This group has a small number of victims and according to both our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the targeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine".
Rather than using the published source code "as is", PowerPool modified it slightly before recompiling -- presumably either in an attempt to evade detection, or to make it appear like a new piece of work.
ESET explains how the threat actor used a flaw in the SchRpcSetSecurity API function to gain write access to the file GoogleUpdate.exe. Then, the explanation continues, "they overwrite it with a copy of their second-stage malware in order to gain SYSTEM privileges the next time the updater is called". The second-stage malware is a backdoor.
ESET issues a warning about the way in which this vulnerability was revealed:
“The disclosure of vulnerabilities outside of a coordinated disclosure process generally puts many users at risk. In this case, even the most up-to-date version of Windows could be compromised as no patch was released when the vulnerability and exploit were published. The CERT-CC provides some mitigations but Microsoft has not officially approved them.
This specific campaign targets a limited number of users, but don't be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available.”
With Microsoft yet to release a fix for the vulnerability, users are left at risk unless they are willing to place their security in the hands of third-party patch developer 0patch.
Müəllif
Metbuat.az
Qaynar xətt
0552252950
Həmçinin oxu
Süni intellekt üçün internet “Bakcell”dən
en.ictnews.az
DİGƏR XƏBƏRLƏR
Daha çox »Top xəbərlər
Layihələr
Son xəbərlər
Türkiyə nəhəngi dünya çempionatının ulduzunu transfer edir
Bu gün
·
19:05
Nazir ona vəzifə verdi
Bu gün
·
18:18
Milli Məclisin növbədənkənar sessiyasının son iclası keçiriləcək - YENİLƏNİB
Bu gün
·
17:28
Hərbçimiz vəfat etdi
Bu gün
·
17:08
Hasil Abbasov üç nəfərə yüksək vəzifə verdi
Bu gün
·
17:06
Şimşək çaxacaq, dolu düşəcək - XƏBƏRDARLIQ
Bu gün
·
17:04
Əli Əsədov Rusiyanın səhiyyə naziri ilə görüşdü
Bu gün
·
16:47
Rafael Ağayevə ağır itki üz verdi
Bu gün
·
16:35
Paytaxtda maşından meyit tapıldı
Bu gün
·
16:25
Azərbaycanda bank kartları ilə bağlı mühüm açıqlama
Bu gün
·
16:08
“Azərsun Holdinq” şəkər çuğunduru emalı həcmini 800 min tona qaldıracaq
Bu gün
·
15:54
Moda dizayneri Kamilla Məmmədzadə "Yes Couture"brendi ilə birlikdə Azərbaycan xalçalarından ilhamlanan kolleksiyasını təqdim etdi – FOTO
Bu gün
·
15:50
Salahın meneceri Türkiyədə: Bu kluba keçir
Bu gün
·
15:33
Oğuzda meyit tapıldı
Bu gün
·
15:25
Geomaqnit qasırğası olacaq
Bu gün
·
15:05