Computer security researchers have recently found a malicious exploit trying to take advantage of a zero-day vulnerability in Microsoft's Windows OS allowing outsiders to gain elevated access to otherwise protected machines. The flaw, which relates to the win32k.sys file, is the fifth Windows vulnerability of this type Kaspersky has exposed since October 2018. The security issue has now been patched and has been safe since April 10.
What Were the Crooks Going After?
After receiving the notification about the exploit on March 17, Microsoft admitted to having assigned a CVE-2019-0859 ID to the vulnerability in question and released a patch on April 10. As it is, the win32.k.sys is an internal Windows file capable of managing processes run in memory. Failure to do so creates privilege escalation vulnerability. The latter allows an intruder to:
- Circumvent the OS's Address Space Layout Randomization (ASLR) security by utilizing the HMValidateHandle feature
- Obtain administrator rights.
- Go all the way up to the kernel itself.
It appears that the crooks who created the exploit wanted to assume control of computer systems primarily running 64-bit Windows7 or Windows 10 OS.
Infection In Three Acts
As soon as the exploit has neutralized the system's ASLR protection, it carries out a three-stage attack:
- Stage 1: PowerShell command execution to retrieve a specific script from the Pastebin storage site.
- Stage 2: Add another script download command.
- Stage 3: Execution of the second script.
As a result, the exploit creates an HTTP reverse shell to secure the communication between the targeted PC and the attackers. Secured communication channels, on the one hand, combined with administrator privileges, on the other, is all that an outsider would need to take effective control of the corresponding PC.
The attack layout mentioned above is typical of an Advanced Persistent Threat (APT) taking advantage of legitimate Windows components to bypass admin protection. This exploit, in particular, deploys the Windows PowerShell console and the win32k.sys file in an attempt to disguise its malicious nature, thus further emphasizing the need for enhanced tools for exploit prevention and detection.