Kaspersky technologies discovered attacks on numerous Microsoft Windows systems using vulnerability in late August and early September 2021.Earlierly The attacks had several log strings from a known vulnerability CVE – 2016 – 3309. We determined that it was exploiting in the Win 32k driver that leaks the base addresses of kernel modules. Immediately reported the results to Microsoft that the information disclosure part of the attack chain did not overcome the security border.
The researchers examined the RAT used in the attacks and discovered code similarities and re-use of C2 infrastructure allowing them to trace the operation to the IronHusky Chinese-speaking APT organisation.The IronHusky APT has been active since at least 2017 it was targeting Russian and Mongolian government institutions, aviation firms, and research institutes.
The discovered exploit is written to support the following Windows products:
- Microsoft Windows Vista
- Microsoft Windows 7
- Microsoft Windows 8
- Microsoft Windows 8.1
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows 10 (build 14393)
- Microsoft Windows Server 2016 (build 14393)
- Microsoft Windows 10 (build 17763)
- Microsoft Windows Server 2019 (build 17763)
On August 10 2021, the sample was examined and submitted to VT. The size of the sample is 8.29MB. One of the reasons for the large file size that was built with the OpenSSL Library which contains useless code and data. These functions also make use of randomly produced strings that are also included in binary files.
The exploitation process for this vulnerability is as follows:
- A user-mode call to ResetDC executes syscall NtGdiResetDC and its inner function GreResetDCInternal. This function gets a pointer to a PDC object, and then performs a call to function hdcOpenDCW.
- Function hdcOpenDCW performs a user-mode callback and it can be used to execute ResetDC for the same handle a second time.
- If an exploit executes ResetDC during a callback, NtGdiResetDC and GreResetDCInternal are executed again for the same DC.
- If an exploit ignores all the callbacks during the second call to GreResetDCInternal, this function will be executed as intended. It will create a new DC and get rid of the old one (the PDC object is destroyed).
- In the callback, after the second ResetDC call has completed, the exploit can reclaim the freed memory of the PDC object and finish the execution of the callback.
- After execution of the callback, function hdcOpenDCW returns to GreResetDCInternal, but the pointer retrieved in step (1) is now a dangling pointer – it points to the memory of the previously destroyed PDC object.
- In the late stage of GreResetDCInternal execution, a malformed PDC object can be used to perform a call to an arbitrary kernel function with controlled parameters.
The malware enumerates the values under the “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer” registry key and uses them to request tunneling through a proxy server in case it fails to connect to the C2 directly.
The malware gathers and sends general information about the victim machine. This information includes:
- Computer name
- Current OEM code-page/default identifier
- Windows product name
- Local IP address
- Logged-in user name
- Campaign name
Kaspersky Concluded that “The malware itself is not very sophisticated and has functionality similar to many other remote shells. But it still somehow stands out, with a relatively large number of implemented commands and extra capabilities like monitoring for inserted disk drives and the ability to act as a proxy.”
Indicators of Compromise