IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw

Chain of vulnerabilities used to attack multiple companies worldwide

Security researchers have warned about PuzzleMaker, a new hacking group that is using a series of Google Chrome and Windows 10 exploits to attack organizations worldwide.

According to reports, researchers first observed the attacks in mid-April. These attacks, which were highly targeted against companies worldwide, used a chain of Google Chrome and Microsoft Windows zero-day exploits

Researchers failed to find an exploit used for remote code execution (RCE) in Chrome but found and analyzed an elevation-of-privilege exploit used to escape the sandbox and obtain system privileges.

As researchers didn't find the RCE in Chrome, they looked elsewhere and discovered a possible candidate. On April 12, Chromium developers committed two (issue 1196683, issue 1195777) Typer-related bug fixes to the open source repository of V8 — a JavaScript engine used by Chrome and Chromium web browsers. This was after a team in a Pwn2Own competition demonstrated successful exploitation of the Chrome renderer process using a Typer Mismatch bug.

"One of these bug fixes (issue 1196683) was intended to patch a vulnerability that was used during Pwn2Own, and both bug fixes were committed together with regression tests – JavaScript files to trigger these vulnerabilities," said researchers.

Researchers said a user with the Twitter handle @r4j0x00 later published a working remote code execution exploit on GitHub.

Related Resource

Enabling operational resiliency with Veritas

Boost your DX goals with data and infrastructure insights

A cityscape background against the water - Enabling operational resilience with VeritasWatch now

Following the use of this exploit, hackers then used another exploit to abuse Windows Notification Facility (WNF) with a Windows NTFS privilege escalation bug (CVE-2021-31956) to execute code with system privileges on compromised Windows 10 systems.

This enabled hackers to access the victim's system and execute four malware modules; these were stager, dropper, service, and remote shell modules.

The stager checks if exploitation is successful. If so, it downloads a dropper module from a C2 server.  The dropper module installs two executables that pretend to be legitimate Windows files. The first file is registered as a service and used as a launcher for the second executable. The second file is used as a remote shell and is the attack's main payload.

"The remote shell module has a hardcoded URL of the C&C server inside (media-seoengine[.]com). All the communication between the C&C server and client is authorized and encrypted. The remote shell module is able to download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine," said researchers.

Researchers warned the malware doesn't appear to have any strong connections to other threat actors. Organizations have been urged to apply all patches to affected systems as soon as possible.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT admins
operating systems

Google adds new security vendor plugins for Chrome, improved Chrome OS policy controls for IT admins

27 May 2022
Google Chrome branded the least effective browser for stopping phishing attacks
phishing

Google Chrome branded the least effective browser for stopping phishing attacks

26 May 2022
Google patches second Chrome browser zero-day of 2022
zero-day exploit

Google patches second Chrome browser zero-day of 2022

28 Mar 2022
Lenovo IdeaPad Duet 5 Chromebook review: A confident convertible
Laptops

Lenovo IdeaPad Duet 5 Chromebook review: A confident convertible

14 Mar 2022

Most Popular

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022