14 DAY TRIAL // According to Kaspersky, on April 14 and 15, 2021, a wave of highly concentrated attacks was tracked using a chain of zero-day exploits in Chrome and Windows.
PuzzleMaker is the name of the attackers. Although not validated, the first exploit in the chain appears to be CVE-2021-21224, a V8 type mixup vulnerability in Chrome prior to 90.0.4430.85.
On April 20, Google released a workaround for the critical flaw that, when exploited, allows remote attackers to execute arbitrary code inside a sandbox via a fake HTML page.
Researchers discovered the exploit in two Windows 10 vulnerabilities, which are zero-day issues fixed in Microsoft's latest Patch Tuesday update.
CVE-2021-31955, the first vulnerability, is a Windows Kernel information disclosure vulnerability in the file ntoskrnl.exe. This is typically used to disclose the addresses of the Eprocess structure kernel for run processes. The second vulnerability, CVE-2021-31956, is a heap buffer overflow vulnerability in the Windows NTFS driver that can be exploited to get elevated privileges.
According to Kaspersky, when the vulnerabilities were linked together, the attacker was able to escape the sandbox and execute malicious code on a target machine.
Malware modules
In addition to the exploits mentioned above, the entire attack chain includes 4 other malware modules known as Stager, Dropper, Service, and Remote Shell. The Stager module is used to notify the user that the extraction was successful. A more complicated malware dropper module is also downloaded and executed from a remote site.
Each stager module is delivered to the victim with a customized configuration blob that includes the C&C URL, session ID, keys to decrypt the next malware stage, and other information.
The Dropper module is used to install two executable programs that masquerade as official Microsoft Windows OS files. One of these programs (WmiPrvMon.exe, % SYSTEM) is registered as a service and serves as a launcher for the second executable. The second executable (% SYSTEM % wmimon.dll) has the functionality of a remote shell and can be considered as the main payload of the attack. Kaspersky did not find any similarities with other known malware.
The remote shell module has a hardcoded URL to the command-and-control server (media-seoengine.com). All communication between the C&C server and the client is authenticated and encrypted. The remote shell module can download and upload data, start and stop programs, sleep for specified periods of time, and delete itself from the compromised computer.