Windows 10 Targeted By PuzzleMaker Hackers Using Chrome Zero-days

Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.

According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims’ networks were compromised.

The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access the targeted systems.

Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.

Malware deployed with system privileges

The attackers abused the Windows Notification Facility (WNF) together with the CVE-2021-31956 vulnerability to execute malware modules with system privileges on compromised Windows 10 systems.

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.

“This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS.

“The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.”

Also Read: 4 Considerations in the PDPA Singapore Checklist: The Specifics

Chrome and Windows zero-days galore

This is not the first Chrome zero-day exploit chain used in the wild in recent months.

Project Zero, Google’s zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.

The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.

Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:

• renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
• two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
• a “privilege escalation kit” composed of publicly known n-day exploits for older versions of Android
• one full exploit chain targeting fully patched Windows 10 using Google Chrome
• two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
• several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)

“Overall, of late, we’ve been seeing several waves of high-profile threat activity being driven by zero-day exploits,” added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).

“It’s a reminder that zero days continue to be the most effective method for infecting targets.”

Also Read: The 3 Main Benefits Of PDPA For Your Business

Indicators of compromise (IOCs) including malware sample hashes can be found at the end of Kaspersky’s report.