Today, Kaspersky Labs announced that it had detected a "previously unknown vulnerability" in Microsoft Windows, which was exploited by an unidentified criminal group.
The company theorizes that it was an attempt to gain full control over a targeted device. The attack was aimed at the core of the system – its kernel – through a backdoor constructed from an essential element of Windows OS.
The vulnerability was reported to Microsoft and patched on April 10, 2019. HEUR:Exploit.Win32.Generic, HEUR:Trojan.Win32.Generic and PDM:Exploit.Win32.Generic were detected.
It was the fifth consecutive exploited local privilege escalation vulnerability in Windows that the company had discovered in recent months.
Kaspersky Lab's Exploit Prevention technology found the attempt to exploit the unknown vulnerability in Microsoft Windows OS, which some security solutions would not be able to recognize. This is because a backdoor that exploits a previously unknown bug in the system – a zero-day vulnerability – has significantly more chances to fly under the radar.
According to the company, "Once the malicious .exe file was launched, installation of the malware was initiated." The company explained that the infection exploited a zero-day vulnerability and achieved privileges for successful persistence on the victim’s machine.
The malware then initiated the launch of a backdoor developed with a legitimate element of Windows, present on all machines running on this OS – a scripting framework called Windows PowerShell. This allowed threat actors to be stealthy and avoid detection, saving them time in writing the code for malicious tools. The malware then downloaded another backdoor from a popular legitimate text storage service, which in turn gave criminals full control over the infected system.
“In this attack, we observed two main trends that we often see in Advanced Persistent Threats (APTs). First, the use of local privilege escalation exploits to successfully persist on the victim’s machine. Second, the use of legitimate frameworks like Windows PowerShell for malicious activity on the victim’s machine. This combination gives the threat actors the ability to bypass standard security solutions. To detect such techniques, the security solution must use exploit prevention and behavioral detection engines,” explains Anton Ivanov, a security expert at Kaspersky Lab.