IT security researchers at Kaspersky have identified a new player on the cybercrime scene, known as PuzzleMaker, who is using a string of Windows 10 and Google Chrome zero-day exploits in a series of attacks on numerous enterprises around the world that are highly targeted.

Investigating a threat operator

According to the cybersecurity experts, the recently revealed attacks were initially spotted back in the middle of April, which saw the first wave of target company’s networks hit.

The chain of zero-day exploits utilised in the well-executed campaign employed a vulnerability for remotely executing code in Google Chrome’s V8 JavaScript engine, which enabled attackers to obtain access the victim’s systems.

After penetration, PuzzleMaker’s malicious operators used an exploit to elevate privileges that had been customised to compromise the most recent versions of Windows 10 by taking advantage of another weakness for information disclosure in Windows, tracked as CVE-2021-31955, and an NTFS privilege bug recorded as CVE-2021-31956. These vulnerabilities have since been resolved in the recent Patch Tuesday this month.

The threat operators behind the attack also exploited the Windows Notification Facility (WNF), alongside the CVE-2021-31956 weakness, to execute their malware modules, assigning themselves privileges on systems running Windows 10 that had been compromised.

The research team at Kaspersky commented on the malware deployment:

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server. This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system.”

Recent use of zero-day exploits

Puzzlemaker’s recent activities are far from the first instances of zero-day exploit chains in Chrome being used recently.

Google’s dedicated zero-day bug hunters, known as Project Zero, recently uncovered an expansive operation involving a hacker group using 11 zero-day exploits to attack iOS, Windows and Android customers in one year.

The raft of attacks happened as part of two different campaigns, one in February 2020, and another in October, with around 12 different sites hosting two high-functioning exploit servers.

Google’s Project Zero team collected a hoard of information after discovering the exploit servers that were utilised in the insidious campaigns. This included a series of renderer exploits for Chrome bugs, two different sandbox escape exploits used against three zero-day Windows vulnerabilities and a built-for-purpose “privilege escalation kit”, among other evidence of the attacker’s nefarious activities.

The overall view of senior cybersecurity researchers suggests that the high-profile nature of threat activity now being propelled by attackers using zero-day exploits is a reminder that these vulnerabilities are among the most efficient ways for threat operators to infect victim’s systems. For this reason, firms should make sure that as soon as security patches are available for known weaknesses, they are implemented immediately.