Security researchers have warned about PuzzleMaker, a new hacking group that is using a series of Google Chrome and Windows 10 exploits to attack organizations worldwide.
According to reports, researchers first observed the attacks in mid-April. These attacks, which were highly targeted against companies worldwide, used a chain of Google Chrome and Microsoft Windows zero-day exploits.
Researchers failed to find an exploit used for remote code execution (RCE) in Chrome but found and analyzed an elevation-of-privilege exploit used to escape the sandbox and obtain system privileges.
Researchers said a user with the Twitter handle @r4j0x00 later published a working remote code execution exploit on GitHub.
Enabling operational resiliency with Veritas
Boost your DX goals with data and infrastructure insights
Following the use of this exploit, hackers then used another exploit to abuse Windows Notification Facility (WNF) with a Windows NTFS privilege escalation bug (CVE-2021-31956) to execute code with system privileges on compromised Windows 10 systems.
This enabled hackers to access the victim's system and execute four malware modules; these were stager, dropper, service, and remote shell modules.
The stager checks if exploitation is successful. If so, it downloads a dropper module from a C2 server. The dropper module installs two executables that pretend to be legitimate Windows files. The first file is registered as a service and used as a launcher for the second executable. The second file is used as a remote shell and is the attack's main payload.
"The remote shell module has a hardcoded URL of the C&C server inside (media-seoengine[.]com). All the communication between the C&C server and client is authorized and encrypted. The remote shell module is able to download and upload files, create processes, sleep for specified amounts of time and delete itself from the compromised machine," said researchers.
Researchers warned the malware doesn't appear to have any strong connections to other threat actors. Organizations have been urged to apply all patches to affected systems as soon as possible.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.