Windows Zero-Day Leveraged in Financial Attacks

Some of the attacks launched in March by a financially-motivated threat actor against organizations in North America involved a zero-day privilege escalation vulnerability affecting Windows.

According to FireEye, this sophisticated cybercrime group targeted more than 100 companies — mainly in the retail, hospitality and restaurant sectors.

The attackers used spear-phishing emails and malicious macro-enabled Word documents to deliver PUNCHBUGGY, a DLL downloader that allowed them to interact with the compromised system and move laterally in the victim’s network.

The threat group has also leveraged a point-of-sale (PoS) malware, dubbed by FireEye “PUNCHTRACK,” to steal Track 1 and Track 2 payment card data from infected devices. Researchers noted that the malware is loaded and executed by a highly obfuscated launcher and it’s designed never to touch the device’s disk.

In some of the attacks observed by FireEye in March, the threat actor relied on a local privilege escalation vulnerability in Windows (CVE-2016-0167) that was unknown at the time. The security firm reported spotting the zero-day exploit in limited targeted attacks dating back to March 8.

Microsoft patched the flaw on April 12 with the MS16-039 bulletin and further strengthened Windows against similar attacks with an update released this week (MS16-062).

Researchers said the attackers first compromised the targeted systems and achieved remote code execution via the malicious documents attached to spear-phishing emails, and then they used the CVE-2016-0167 exploit to run code with SYSTEM privileges.

FireEye has been monitoring this threat group for the past year and determined that it’s the only threat actor to use the PUNCHBUGGY downloader and the PUNCHTRACK PoS malware in its operations.

“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of a [privilege escalation] exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication,” FireEye researchers wrote in a blog post.

This is not the only sophisticated cybercrime group monitored by FireEye. Last month, the company detailed the activities of a threat actor dubbed “FIN6” that stole millions of payment card records from PoS systems. Experts believe FIN6 could have made a significant profit after selling the stolen information on an underground marketplace.

Related Reading: “Multigrain” PoS Malware Exfiltrates Card Data Over DNS