PuzzleMaker: Targeted attacks against multiple companies

Our technologies detected targeted attacks involving a number of zero-day exploits.

Behavioral threat detection and exploit prevention technologies in Kaspersky Endpoint Security for Business have identified a wave of highly targeted attacks on several companies. These attacks used a chain of zero-day exploits of Google’s Chrome browser and Microsoft Windows vulnerabilities. By now, patches for the vulnerabilities are available (as of a Microsoft update released June 8), so we recommend everybody update both browser and OS. We are calling the threat actor behind these attacks PuzzleMaker.

What is so dangerous about PuzzleMaker attacks?

The attackers use a Google Chrome vulnerability to execute malicious code on the target machine and proceed by using two Windows 10 vulnerabilities to escape the “sandbox” and gain system privileges. They proceed to upload the first malware module, the so-called stager, to the victim’s machine along with a customized configuration block (command server address, session ID, decryption keys for the next module, and so forth).

The stager notifies the attackers of the successful infection and downloads and decrypts a dropper module, which, in turn, installs two executables passing themselves off as legitimate. The first one, WmiPrvMon.exе, registers as a service and runs the second one, wmimon.dll. This second executable is the attack’s principal payload, fashioned as a remote shell.

The attackers use that shell to enjoy full control of the target machine. They can upload and download files, create processes, hibernate for a specified stretch of time, even rid the machine of any traces of the attack. This malware component communicates with the command server through an encrypted connection.

Which exploits and vulnerabilities?

Unfortunately, our experts were unable to analyze the remote code execution exploit PuzzleMaker used to attack Google Chrome, but they did complete a thorough investigation and concluded that the attackers likely relied on the CVE-2021-21224 vulnerability. If you are interested in how and why they came to this conclusion, we encourage you to read about their reasoning in this Securelist post. In any case, Google released a patch for this vulnerability on April 20, 2021, less than a week after we discovered the wave of attacks.

The privilege elevation exploit uses two Windows 10 vulnerabilities at once. The first one, CVE-2021-31955, is an information disclosure vulnerability in the file ntoskrnl.exe. The exploit used it to determine the addresses of the EPROCESS structure kernel for the executed processes. The second vulnerability, CVE-2021-31956, is in the ntfs.sys driver and belongs to the heap overflow class of vulnerabilities. Malefactors used it along with the Windows Notification Facility for reading and writing data to memory. This exploit works on most common Windows 10 builds: 17763 (Redstone 5), 18362 (19H1), 18363 (19H2), 19041 (20H1), and 19042 (20H2). Build 19043 (21H1) is also vulnerable, although our technologies have not detected attacks on this version, which was released after we detected the PuzzleMaker. Securelist has published a post containing a detailed technical description and listing the indicators of compromise.

Protection against this and similar attacks

To safeguard your corporate security against the exploits used in the PuzzleMaker attack, first update Chrome and install (from Microsoft‘s website) the operating system patches that address vulnerabilities CVE-2021-31955 and CVE-2021-31956.

That said, to avert the threat of other zero-day vulnerabilities, every type of company needs to use cybersecurity products that can detect such exploitation attempts by analyzing suspicious behavior. For example, our products detected this attack using the Behavioral Detection Engine technology and Exploit Prevention subsystem in Kaspersky Endpoint Security for business.