It didn’t take long as a Windows Zero Day patched this month appeared in attacks from an advanced persistent threat (APT).
FruityArmor, as Kaspersky Lab is calling it, is targeting researchers, activists and individuals related to government organizations. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.
What makes FruityArmor APT compelling is its use of Zero Day vulnerabilities and its attack platform, which is built entirely around PowerShell, Microsoft’s task automation and configuration management framework, said Kaspersky’s Anton Ivanov in a blog post.
The group has also used Windows Management Instrumentation (WMI) for persistence, a combination increasingly leveraged by malicious actors.
Microsoft’s October 2016 security bulletins patch fourZero Days. The vulnerability leveraged by FruityArmor is CVE-2016-3393, which Microsoft described as a remote code execution issue that attackers can exploit to take control of affected systems.
Ivanov said FruityArmor has been using CVE-2016-3393 for privilege escalation.
“To achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit,” Ivanov said. “Since many modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access to a targeted machine. Most of the recent attacks we’ve seen that rely on a browser exploit are combined with an EoP exploit, which allows for a reliable sandbox escape.”
“In the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit,” he added. “This comes in the form of a module, which runs directly in memory. The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit.
“After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C.”