Researchers track hacking ‘fingerprints,’ link Russian attackers to Windows exploit sellers

The new technique was used to profile prolific Windows LPE exploit sellers.
Written by Charlie Osborne, Contributing Writer

Researchers have developed a new technique to "fingerprint" cybercriminals, including two prolific sellers of Windows exploits. 

On Friday, researchers from Check Point said the "fingerprinting" technique has been used to link Windows local privilege escalation (LPE) exploits to two different authors, believed to have sold their creations previously to Russian advanced persistent threat (APT) groups as well as other clients. 

In a blog post, the cybersecurity firm said that the technique was developed off the back of a customer response incident, in which a small 64-bit executable was found during an attack.

After analyzing the file, the team found unusual debug strings that pointed to an attempt to exploit a vulnerability on one of the target machines. The file contained a leftover PDB path -- "...\cve-2019-0859\x64\Release\CmdTest.pdb" -- which indicated the use of a real-world exploit tool. 

Digging further, Check Point decided to try and "fingerprint" unique identifiers recognizable as the work of specific exploit developers by securing another 32-bit file which showed compilation at the same time, indicating the handiwork of the same individual. 

See also: This worm phishing campaign is a game-changer in password theft, account takeovers

Check Point explored unique artifacts in binary code, internal file names, PDB paths, hard-coded values such as crypto constants and garbage values, data tables, string usage, syscall wrappers, and code snippets. 

In addition, the team analyzed the author's preferred leaking and elevation techniques, whether or not heap spraying was in use -- and how -- as well as the general "flow" of the exploits. Global calls, field offsets, and API use were also noted. 

It wasn't long before two small binaries turned into a flow of new samples, all based on newly-established Check Point hunting rules. The team then analyzed the new samples and refined their technique, and before long, two exploit sellers were identified

Check Point tested the new method against 16 Windows LPE exploits, 15 of which dated from 2015 and 2019. The team traced their sale to two different authors, "Volodya" -- previously known as "BuggiCorp," and "PlayBit," also known as "luxor2008."

CNET: Browser privacy boost: Here are the settings to change in Chrome, Firefox, Safari, Edge and Brave

Volodya sells exploits for known vulnerabilities as well as zero-day security flaws -- as and when they appear. Check Point linked 10 Windows LPE exploits to this threat actor, many of which were based on zero-days at the time of development. 

Clients include operators of Ursnif, GandCrab, Cerber, Magniber, and APT groups including Turla, APT28, and Buhtrap.

"The APT customers, Turla, APT28, and Buhtrap, are all commonly linked to Russia and it is interesting to find that even these advanced groups purchase exploits from exploit authors, instead of developing them in-house," the researchers say.

The other exploit seller, PlayBit, focuses only on payloads suitable for known security issues. In total, Check Point found evidence of five different exploits sold by this developer -- some of which have ended up in the hands of cybercriminals making use of REvil and Maze ransomware.

TechRepublic: Account takeover fraud rates skyrocketed 282% over last year

"Finding the vulnerability is just the beginning. They [cyberattackers] need to reliably exploit it on as many versions as possible, in order to monetize it to a customer's satisfaction," commented Itay Cohen, Check Point researcher. "We believe that this research methodology can be used to identify additional exploit writers. We recommend other researchers try our suggested technique and adopt it as an additional tool in their arsenal."

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards