According to Kaspersky, on April 14 and 15, 2021, a wave of highly concentrated attacks was tracked using a chain of zero-day exploits in Chrome and Windows.
PuzzleMaker is the name of the attackers. While not validated, the first exploit in the chain appears to be CVE-2021-21224, a V8 type mixup vulnerability in Chrome prior to 90.0.4430.85.
On April 20, Google released a workaround for the critical flaw that, when exploited, allows remote attackers to execute arbitrary code inside a sandbox via a fake HTML page.
Researchers discovered the exploit in 2 Windows 10 vulnerabilities, which are zero-day issues fixed in Microsoft’s latest Patch Tuesday update.
CVE-2021-31955, the very first vulnerability, is really a Windows Kernel information disclosure vulnerability in the file ntoskrnl.exe. This is typically accustomed to disclose the addresses from the Eprocess structure kernel for run processes. The 2nd vulnerability, CVE-2021-31956, is a heap buffer overflow vulnerability within the Windows NTFS driver that may be exploited to obtain elevated privileges.
Based on Kaspersky, when the vulnerabilities were linked together, the attacker was able to escape the sandbox and execute malicious code on a target machine.
In addition to the exploits mentioned above, the entire attack chain includes 4 other malware modules referred to as Stager, Dropper, Service, and Remote Shell. The Stager module can be used to notify the consumer the extraction was successful. A more complicated malware dropper module can also be downloaded and executed from the remote site.
Each stager module is sent to the victim with a customized configuration blob which includes the C&C URL, session ID, keys to decrypt the following malware stage, along with other information.
The Dropper module can be used to install two executable programs that masquerade as official Microsoft Windows OS files. One of these programs (WmiPrvMon.exe, % SYSTEM) is registered like a service and serves as a launcher for the second executable. The second executable (% SYSTEM % wmimon.dll) has got the functionality of a remote shell and could be considered as the main payload from the attack. Kaspersky did not find any similarities with other known malware.
The remote shell module has a hardcoded Hyperlink to the command-and-control server (media-seoengine.com). All communication between your C&C server and also the client is authenticated and encrypted. The remote shell module can upload and download data, start and stop programs, sleep for specified amounts of time, and delete itself from the compromised computer.