Following the release of a software patch by Microsoft, Kaspersky Lab experts can explain how the Windows zero-day they discovered in September was being used by a threat actor known as FruityArmor to mount targeted attacks. FruityArmor used the zero-day, CVE-2016-3393, to escape sandbox technology, helping the attackers to secure greater privileges over victims’ machines and remotely execute their malicious code. CVE-2016-3393 is the fourth zero-day to be detected this year by new Kaspersky Lab technologies designed to identify and block such vulnerabilities.
Following the publication of the critical software fix by Microsoft on 11 October, Kaspersky Lab experts have published a review of the vulnerability’s use by FruityArmor. The threat actor is somewhat unusual in that its attack platform is written in PowerShell, an automation and scripting language for Windows.
Once inside a target machine, the threat actor normally relies on a browser exploit to execute its malicious code. However, since many browsers are built around sandboxes – a feature designed to isolate and securely launch new applications - the browser exploit on its own is rarely enough to give the attacker the level of access it needs. So FruityArmor complements the browser exploit with an EoP (elevation of privilege) exploit which allows it to escape the sandbox. CVE-2016-3393 is a Windows EoP exploit.
After the exploit has been deployed successfully, a second stage payload is executed with higher level privileges to run PowerShell with an advanced, dynamic meterpreter-style script that connects to the threat actor’s Command and Control server. The malware is then ready to receive further instructions and download additional modules.
“Even though there is a growing tendency for attackers to use off-the-shelf malware, unpatched zero-days remain the top prize, treasured by targeted threat actors. The demand for such vulnerabilities is unlikely to diminish any time soon, which is why we need security researchers to continue hunting for them, protection technologies able to detect them, and software developers responding rapidly with a fix. We all have a shared responsibility to protect customers,” said Anton Ivanov, security expert at Kaspersky Lab.
Kaspersky Lab products detect the CVE-2016-3393 exploit as:
The exploit was detected by the Automatic Exploit Prevention module, which is constantly updated and found in all flagship Kaspersky Lab security solutions for Windows. The module was created to deal with malware that exploits software vulnerabilities - including zero-day vulnerabilities - and contains the latest technologies to detect advanced threats. The module monitors various applications, including the most frequently targeted ones, and runs additional checks in the event of any suspicious activity.
To learn more about CVE-2016-3393, read the blog on Securelist.com.
Further information on the FruityArmor APT group is available to customers of Kaspersky Intelligence Services. Contact: firstname.lastname@example.org