PowerPool threat group exploiting new Windows zero-day in a new campaign

• The Windows RCE flaw was exploited by the newly discovered PowerPool group just days after it was publicly released.
• PowerPool has been carefully selecting its targets instead of running a massive spam campaign.

A new threat group called PowerPool has been spotted exploiting a recently disclosed Windows zero-day vulnerability in a new campaign, security researchers have found.

The remote code execution (RCE) vulnerability was disclosed on GitHub and Twitter on August 27. There was no patch for the vulnerability at the time. The flaw affects Windows operating systems (OS) 7 to 10, particularly the Advanced Local Procedure Call (ALPC) function, and allows local privilege escalation.

“The tweet linked to a GitHub repository that contains Proof-of-Concept code for the exploit. Not only was a compiled version released – the source code was also. Consequently, anyone can modify and recompile the exploit, in order to 'improve it', evade detection, or even incorporate it into their code,” ESET researchers, who discovered the campaign and the PowerPool group, said in a blog.

PowerPool targets

According to ESET, PowerPool has only targeted a small group of victims so far. However, the victims targeted by the group span across the globe - in Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine.

“The PowerPool group uses different approaches to initially compromise a victim. One is to send emails with their first-stage malware as an attachment,” ESET researchers added. “It may be too early to say, but to date we’ve seen very few occurrences in our telemetry, so we assume that the recipients are carefully chosen rather than PowerPool running a massive spam campaign.”

PowerPool tools

The threat group uses a first and second stage backdoor for its campaigns.

The first-stage backdoor contains two Windows executables and is a basic reconnaissance malware. This backdoor is capable of taking screenshots and sending the data to the C2 server.

The second-stage backdoor is downloaded via the first in cases when the threat actors believe the system targeted to be “interesting”. This backdoor is capable of executing commands, killing processes, downloading and uploading files.

Once the PowerPool hackers gain persistent access to a machine, they use open-source tools such as FireMaster, PowerDump, PowerSploit and others, tot move laterally across the network.

“The disclosure of vulnerabilities outside of a coordinated disclosure process generally puts many users at risk. In this case, even the most up-to-date version of Windows could be compromised as no patch was released when the vulnerability and exploit were published,” ESET researchers said. “This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available.”