Security scientists have warned about PuzzleMaker, a new hacking team that is making use of a series of Google Chrome and Windows 10 exploits to attack businesses throughout the world.
In accordance to stories, researchers 1st observed the attacks in mid-April. These attacks, which have been remarkably qualified towards corporations all over the world, applied a chain of Google Chrome and Microsoft Windows zero-day exploits.
Scientists failed to uncover an exploit utilized for distant code execution (RCE) in Chrome but discovered and analyzed an elevation-of-privilege exploit made use of to escape the sandbox and receive procedure privileges.
Scientists mentioned a consumer with the Twitter handle @r4j0x00 later posted a performing distant code execution exploit on GitHub.
Pursuing the use of this exploit, hackers then made use of a further exploit to abuse Windows Notification Facility (WNF) with a Windows NTFS privilege escalation bug (CVE-2021-31956) to execute code with program privileges on compromised Windows 10 programs.
This enabled hackers to entry the victim’s method and execute 4 malware modules these had been stager, dropper, company, and distant shell modules.
The stager checks if exploitation is successful. If so, it downloads a dropper module from a C2 server. The dropper module installs two executables that fake to be reputable Windows information. The 1st file is registered as a service and applied as a launcher for the next executable. The next file is used as a remote shell and is the attack’s key payload.
“The remote shell module has a hardcoded URL of the C&C server inside (media-seoengine[.]com). All the communication concerning the C&C server and customer is approved and encrypted. The remote shell module is in a position to download and add documents, produce processes, snooze for specified quantities of time and delete itself from the compromised equipment,” explained scientists.
Scientists warned the malware would not show up to have any strong connections to other risk actors. Companies have been urged to utilize all patches to affected programs as before long as attainable.
Some areas of this report are sourced from: