Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw

Chain of vulnerabilities used to attack multiple companies worldwide

Security researchers have warned about PuzzleMaker, a new hacking group that is using a series of Google Chrome and Windows 10 exploits to attack organizations worldwide.

According to reports, researchers first observed the attacks in mid-April. These attacks, which were highly targeted against companies worldwide, used a chain of Google Chrome and Microsoft Windows zero-day exploits

Researchers failed to find an exploit used for remote code execution (RCE) in Chrome but found and analyzed an elevation-of-privilege exploit used to escape the sandbox and obtain system privileges.

As researchers didn't find the RCE in Chrome, they looked elsewhere and discovered a possible candidate. On April 12, Chromium developers committed two (issue 1196683, issue 1195777) Typer-related bug fixes to the open source repository of V8 — a JavaScript engine used by Chrome and Chromium web browsers. This was after a team in a Pwn2Own competition demonstrated successful exploitation of the Chrome renderer process using a Typer Mismatch bug.

"One of these bug fixes (issue 1196683) was intended to patch a vulnerability that was used during Pwn2Own, and both bug fixes were committed together with regression tests – JavaScript files to trigger these vulnerabilities," said researchers.

Researchers said a user with the Twitter handle @r4j0x00 later published a working remote code execution exploit on GitHub.

Related Resource

Enabling operational resiliency with Veritas

Boost your DX goals with data and infrastructure insights

A cityscape background against the water - Enabling operational resilience with VeritasWatch now

Following the use of this exploit, hackers then used another exploit to abuse Windows Notification Facility (WNF) with a Windows NTFS privilege escalation bug (CVE-2021-31956) to execute code with system privileges on compromised Windows 10 systems.

This enabled hackers to access the victim's system and execute four malware modules; these were stager, dropper, service, and remote shell modules.

The stager checks if exploitation is successful. If so, it downloads a dropper module from a C2 server.  The dropper module installs two executables that pretend to be legitimate Windows files. The first file is registered as a service and used as a launcher for the second executable. The second file is used as a remote shell and is the attack's main payload.

"The remote shell module has a hardcoded URL of the C&C server inside (media-seoengine[.]com). All the communication between the C&C server and client is authorized and encrypted. The remote shell module is able to download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine," said researchers.

Researchers warned the malware doesn't appear to have any strong connections to other threat actors. Organizations have been urged to apply all patches to affected systems as soon as possible.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
CISA, FBI, and NSA issue a Conti ransomware advisory
ransomware

CISA, FBI, and NSA issue a Conti ransomware advisory

23 Sep 2021
Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Ransomware hackers break off from Babuk to join a new group
ransomware

Ransomware hackers break off from Babuk to join a new group

9 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
London ranks second to Silicon Valley as world's best startup hub
startups

London ranks second to Silicon Valley as world's best startup hub

22 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021