PuzzleMaker Cluster Attacks Companies with 0-Day Vulnerabilities in Chrome and Windows 10

Kaspersky Lab specialists announced that the new PuzzleMaker group attacks companies around the world. Targeted attacks exploit a chain of zero-day vulnerabilities in the Google Chrome browser and Windows 10.

According to researchers, a new grouping PuzzleMaker stands behind the campaign, and the first attacks were discovered in mid-April 2021.

None of the artifacts we analyzed appear to have strong connections to any known threat actors. The only similarity to CHAINSHOT we observed is the “PreviousMode” technique, although this is publicly known and may be used by various groups. We are calling the threat actor behind these attacks PuzzleMaker.researchers at Kaspersky Lab said.

The chain of vulnerabilities exploited in the attacks includes a remote code execution issue in the Google Chrome V8 JavaScript engine (as LC was unable to obtain a full exploit for this vulnerability).

While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.specialists explained.

We also investigated two vulnerabilities in Windows – CVE-2021-31955 (information disclosure in the Windows kernel) and CVE-2021-31956 (privilege escalation in Windows NTFS). Microsoft fixed both issues as part of its June Patch Tuesday.

Attackers gained access to the target system through a vulnerability in Chrome and then exploited CVE-2021-31955 and CVE-2021-31956 to compromise Windows.

According to experts, PuzzleMaker used the Windows Notification Facility (WNF) in conjunction with the exploitation of CVE-2021-31956 to execute malicious modules on the system.

After exploiting vulnerabilities in Chrome and Windows to access the target system, the attackers initiated a download from a remote server and execution of a more complex dropper […] This dropper installs two executable files masked as legitimate Windows files. The second of these files is a shell capable of unloading files, creating processes, going into sleep mode for a specified time, and deleting itself from the infected system.the researchers told.

Let me remind you that we wrote that Most of the exploits for 0-Day vulnerabilities are developed by private companies.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button