PuzzleMaker Cybercrime Gang Description
A new wave of highly targeted attacks was detected by infosec researchers. The characteristics of the operation did not match any of the TTPs (Tactics, Techniques and Procedures) of the already established cybercrime groups. The lack of overlap with previous attack campaigns led the researchers to attribute the observed attack to a newly designated threat actor that they named PuzzleMaker.
Initial Compromise Vector
Analysis revealed that the PuzzleMaker hackers relied on zero-day vulnerabilities found in Google Chrome and Microsoft Windows. The exact Chrome exploits couldn't be pinpointed but circumstantial evidence points towards the CVE-2021-21224 vulnerability that could affect the 90.0.4420.72 Chrome build. This particular exploit was fixed by Google on April 20, 2021.
However, the two Windows vulnerabilities employed in the PuzzleMaker attack were identified and were assigned the designations CVE-2021-31955 and CVE-2021-31956. Both exploits were patched by Microsoft on June 8, 2021.
CVE-2021-31955 is an information disclosure vulnerability in the ntoskrnl.exe. It is related to a feature called SuperFetch that was introduced with Windows Vista. SuperFetch was designed to lower the load times on Windows systems by preloading certain frequently used applications into memory. CVE-2021-31956 is described as a heap-based buffer overflow in ntfs.sys.
The PuzzleMaker Malware
After establishing a foothold on the targeted system, the PuzzleMaker gang proceed to drop four malware modules each responsible for a separate stage in the attack chain. First, a stager module confirms the successful breach and notifies the hackers. It then fetches a more sophisticated, next-stage dropper module from a remote server. It appears that the stager module dropped on each victim contains a customized configuration blob that determines the URL of the Command-and-Control server, Session ID, and the keys needed to decrypt the next malware module.
The dropper module downloads two executable files in the %SYSTEM% folder of the compromised machine. The WmiPrvMon.exe is registered as a service and it functions as a launcher for the other file, which is believed to be the main payload of the attack. It is delivered as a file named wmimon.dll and is capable of establishing a remote shell.
The shell contains a hardcoded URL used to reach the C&C server and all of the traffic between the server and the malware is authorized and encrypted. Through the remote shell, the PuzzleMaker gang can manipulate the processes on the infected system, force it to enter sleep mode, deliver additional files or exfiltrate chosen data, as well as command the malware to delete itself.