CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Windows Zero-Day Leveraged in Financial Attacks

Some of the attacks launched in March by a financially-motivated threat actor against organizations in North America involved a zero-day privilege escalation vulnerability affecting Windows.

According to FireEye, this sophisticated cybercrime group targeted more than 100 companies — mainly in the retail, hospitality and restaurant sectors.

Some of the attacks launched in March by a financially-motivated threat actor against organizations in North America involved a zero-day privilege escalation vulnerability affecting Windows.

According to FireEye, this sophisticated cybercrime group targeted more than 100 companies — mainly in the retail, hospitality and restaurant sectors.

The attackers used spear-phishing emails and malicious macro-enabled Word documents to deliver PUNCHBUGGY, a DLL downloader that allowed them to interact with the compromised system and move laterally in the victim’s network.

The threat group has also leveraged a point-of-sale (PoS) malware, dubbed by FireEye “PUNCHTRACK,” to steal Track 1 and Track 2 payment card data from infected devices. Researchers noted that the malware is loaded and executed by a highly obfuscated launcher and it’s designed never to touch the device’s disk.

In some of the attacks observed by FireEye in March, the threat actor relied on a local privilege escalation vulnerability in Windows (CVE-2016-0167) that was unknown at the time. The security firm reported spotting the zero-day exploit in limited targeted attacks dating back to March 8.

Microsoft patched the flaw on April 12 with the MS16-039 bulletin and further strengthened Windows against similar attacks with an update released this week (MS16-062).

Researchers said the attackers first compromised the targeted systems and achieved remote code execution via the malicious documents attached to spear-phishing emails, and then they used the CVE-2016-0167 exploit to run code with SYSTEM privileges.

FireEye has been monitoring this threat group for the past year and determined that it’s the only threat actor to use the PUNCHBUGGY downloader and the PUNCHTRACK PoS malware in its operations.

Advertisement. Scroll to continue reading.

“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of a [privilege escalation] exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication,” FireEye researchers wrote in a blog post.

This is not the only sophisticated cybercrime group monitored by FireEye. Last month, the company detailed the activities of a threat actor dubbed “FIN6” that stole millions of payment card records from PoS systems. Experts believe FIN6 could have made a significant profit after selling the stolen information on an underground marketplace.

Related Reading: “Multigrain” PoS Malware Exfiltrates Card Data Over DNS

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.