CVE-2019-1132: a Windows Zero-Day exploited by Buhtrap Group in espionage campaigns

According to experts at ESET, the Windows zero-day vulnerability CVE-2019-1132 was exploited by the Buhtrap threat group in a targeted attack aimed at a government organization in Eastern Europe.


Keep your system up-to-date!

The vulnerability

The CVE-2019-1132 affects the Win32k component and could be exploited to run arbitrary code in kernel mode, and has been patched by Microsoft in the July 2019 cumulative update.

According the advisory:

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how Win32k handles objects in memory.

CVE-2019-1132 impacts the following Windows versions:

• Windows 7 for 32-bit Systems Service Pack 1
• Windows 7 for x64-based Systems Service Pack 1
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for Itanium-Based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1

This vulnerability was only exploitable only on older Windows versions because user processes are no longer allowed to map the NULL page since Windows 8.

The threat actor

The Buhtrap group is well known for its targeting of financial institutions and businesses in Russia. However, since late 2015, from a pure criminal group perpetrating cybercrime for financial gain, its toolset has been expanded with malware used to conduct espionage in Eastern Europe and Central Asia.

The campaign

According ESET‘s researchers, attackers used a weaponized document to deliver a backdoor that also implements an info-stealing module called “grabber”:

The first module, called “grabber” by its author, is a standalone password stealer. It tries to harvest passwords from mail clients, browsers, etc., and sends them to a C&C server. This module was also detected as part of the campaign using the zero-day. This module uses standard Windows APIs to communicate with its C&C server.

Then, the second stage implements backdoor and persistence:

The second module is something that we have come to expect from Buhtrap operators: an NSIS installer containing a legitimate application that will be abused to side-load the Buhtrap main backdoor. The legitimate application that is abused in this case is AVZ, a free anti-virus scanner.


Related posts

  1. How “Process Ghosting“ works
  2. Windows registry Transaction Logs in forensic analysis
  3. Linux Forensics: Memory Capture and Analysis
  4. Technology Roundup #16
  5. Backdoorplz, a privilege escalation tool for Windows