Connect with us

Hi, what are you looking for?



Windows Zero-Day Exploited in Targeted Attacks by ‘PowerPool’ Group

A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.

A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.

The flaw was disclosed on August 27 by a researcher who uses the online moniker “SandboxEscaper.” The security hole was not reported to Microsoft before its details were made public – including a compiled exploit and its source code – as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.

Other members of the industry quickly confirmed the vulnerability, which seems to affect the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to SYSTEM by overwriting files that should normally be protected by filesystem access control lists (ACLs).

The public exploit has been confirmed to work on 64-bit versions of Windows 10 and Windows Server 2016, with the possibility to adapt it for 32-bit systems as well.

Microsoft has launched an investigation, but it has yet to release a patch or provide mitigations. While the tech giant initially suggested that a fix may be released with its regular Patch Tuesday updates, the company may roll out a patch sooner now that the vulnerability has been exploited in malicious attacks.

In the meantime, 0patch has released an unofficial fix for the vulnerability and CERT/CC’s advisory for the bug describes some mitigations.

According to ESET, the local privilege escalation vulnerability has been exploited by a newly uncovered group it tracks as PowerPool. Based on the security firm’s telemetry and malware samples uploaded to VirusTotal, the threat actor appears to have leveraged the Windows zero-day against a small number of users located in the United States, the United Kingdom, Germany, Ukraine, Chile, India, Russia, the Philippines and Poland.

ESET researchers determined that PowerPool slightly modified the publicly available exploit source code and recompiled it for its attacks.

Advertisement. Scroll to continue reading.

The hackers, whose possible origins have not been discussed by the security firm, have used the zero-day to overwrite C:Program Files(x86)GoogleUpdateGoogleUpdate.exe, a legitimate updater for Google applications. Since this file is regularly executed in Windows with administrative privileges, overwriting it with their malware has allowed the attackers to obtain elevated permissions on the targeted system.

ESET believes PowerPool attacks begin with a malware-carrying email being sent to the targeted user. While the campaign involving the zero-day appears to be highly targeted, an interesting spam campaign spotted by SANS in May, which used Symbolic Link (.slk) files for malware distribution, was apparently carried out by the same group.

The first stage malware used by PowerPool, which is delivered via the initial emails, is a backdoor designed for reconnaissance purposes. If the infected machine presents an interest to the attackers, the malware downloads a second stage backdoor capable of executing commands on the system, uploading and downloading files, killing processes, and listing folders.

The files downloaded by the second stage malware to compromised devices include several open source tools that allow the attackers to move laterally on the network. The list includes PowerDump, PowerSploit, SMBExec, Quarks PwDump, and FireMaster.

ESET has described this second stage malware as “clearly not a state-of-the-art APT backdoor.”

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” ESET concluded.

Related: Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer

Related: Microsoft Patches Two Windows Zero-Day Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...