Recent Windows ALPC zero-day has been exploited in the wild for almost a week

ESET says it detected PowerPool group using recently disclosed Windows ALPC zero-day to improve the efficiency of its malware.
Written by Catalin Cimpanu, Contributor

Two days after a security researcher released details and proof-of-concept code about an unpatched Windows zero-day, one malware group had already incorporated the vulnerability in their exploit chain and was attempting to infect users around the globe.

The zero-day used in this malware distribution campaign is a (still-unpatched) vulnerability in the Windows Task Scheduler feature, affecting the Advanced Local Procedure Call (ALPC) function.

Details about this vulnerability were released on August 27, on Twitter and GitHub, along with a fully working proof-of-concept exploit.

In OS versions released after Windows 7, the ALPC function does not properly check user permissions when interacting with files stored in the Windows Task Scheduler folder. An attacker using the PoC released on Twitter/GitHub can elevate a normal user's permission level from USER to SYSTEM.

Because the researcher who revealed this zero-day released both a compiled binary but also the exploit's source code, infosec experts, at the time, predicted that this particular vulnerability would become extremely popular with malware authors.

Their predictions were met within two days, albeit, none knew at the time.

In a report published today, ESET security researcher Matthieu Faou says he's been tracking a group that has been leveraging the Windows ALPC zero-day for the past week.

The group --codenamed PowerPool-- has been sending low-volume spam to selected victims all over the globe, Faou says, with detections coming from Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

These emails contain malicious attachments that infect users with a first-stage backdoor. Faou says that if attackers determine that the infected computer might contain sensitive data, they download a second, more powerful backdoor. The group then uses the Windows zero-day to gain admin rights for their backdoors.

See also: Critical remote code execution flaw in Apache Struts exposes the enterprise to attack

In an email interview with ZDNet, Faou says the group has been active since at least the beginning of 2017 when his company started tracking the activity behind the two-backdoor malware combo.

"I was not able to clearly identify the final goal of this group," Faou told ZDNet. "However, the nature of their tools and the low number of victims suggests this is an espionage campaign. They conduct spam campaigns but at a relatively low volume."

But Faou made it clear in a report he published earlier today that the two backdoors are nowhere near as complex as the malware used by nation-state cyber-espionage groups.

See also: Mexicans served with Dark Tequila in spyware spree

Furthermore, the researcher also highlighted that, unlike other cases when researchers disclose zero-days online without waiting for patches, this time things were worse.

"When only a compiled version of the Proof-of-Concept is available, it is harder to reuse because malware developers first need to reverse-engineer the program in order to re-implement it in their malware," Faou told ZDNet.

"The difference between this zero-day and most of the previous ones is the release of the full source code used to exploit the vulnerability. Thus, it can be easily reused by malware developers," he added.

This is why when security researchers published details about a new exploitation technique involving Windows 10 Settings Panel links (.SettingContent-ms files), it took malware authors weeks of experimentation before getting things right, by which time, Microsoft had patched the issue in the August 2018 Patch Tuesday.

But this time around, Faou said the PowerPool group got it right on the first attempt.

"Yes they were able to elevate the privileges of their 2nd stage backdoor from a restricted user to SYSTEM," Faou told us when we asked about the group's success rate. "I did not find any trace of previous failed attempts," he said.

An analysis of the PowerPool group's backdoors and other details regarding their modus operandi are included in Faou's report published on the ESET site.

Editorial standards