FruityArmor APT Group Seen Exploiting Windows Zero Day

by on Wednesday October 10, 2018

Contact Us
Free Demo
Chat

As part of October Patch Tuesday, Microsoft fixed a critical Win32k graphics remote code execution flaw in Windows that was being exploited in a small number of targeted attacks.

As part of its monthly Patch Tuesday, Microsoft has released a fix for a critical vulnerability in Windows that at least one group is using in active, targeted attacks.

The vulnerability lies in the Win32k component of the operating system and an attacker who is able to exploit it can get arbitrary code execution in kernel mode. The weakness is a serious one, but exploiting it is neither easy or straightforward. However, researchers have discovered an APT group that has been using the vulnerability in targeted attacks against some victims in the Middle East.

Researchers at Kaspersky Lab discovered the vulnerability and reported it to Microsoft last month. The bug is a use-after-free vulnerability and Kaspersky’s researchers found that it was quite similar to a separate flaw discovered in 2017 that members of the Sofacy APT group have been known to use.

“The exploit was executed by the first stage of a malware installer to get necessary privileges for persistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably exploiting as many different MS Windows builds as possible, including MS Windows 10 RS4,” Kaspersky’s researchers said in a post detailing the vulnerability and exploit.

“So far, we’ve observed the usage of this exploit in a small number of targeted attacks, when the exploit is packaged in a malware installer. The installer requires system privileges to install its payload. The payload is a sophisticated implant, used by the attackers for persistent access to the victims’ machines.”

Although the vulnerability itself is similar to one used by Sofacy, a group also known as Fancy Bear, the group exploiting this new bug is a separate team, known as FruityArmor. That group has been known to deploy exploits for at least two other zero-day vulnerabilities in the last couple of years, as well. The difference with this vulnerability, though, is that it’s only an elevation of privilege bug, so the attackers need to have some presence on a targeted machine already.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system,” Microsoft said in its advisory.

The good news is that the FruityArmor group does not appear to be going after random targets. The victim list so far comprises fewer than a dozen targets, but the level of skill displayed by the attackers using this vulnerability is on the high end of the scale.

“Even when deploying 0-days seems to be more frequent than it used to be, this would be the second time we have spotted FruityArmor using one of them to distribute its malware. This points to the resources and sophistication of this actor, along with the advanced final-stager they distribute,” Kaspersky’s analysis says.

“So far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East region, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a small number of victims involved.”

Tags: Vulnerabilities

Recommended Resources


  • Why EDR is important to your firm's security
  • Analysis of EDR vendor landscape
  • Breakdown of vendor capabilities
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.