PuzzleMaker using Chrome zero-day exploit to get into your Windows PC

Threat Advisories

PuzzleMaker using Chrome zero-day exploit to get into your Windows PC

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

A chain of zero-day vulnerabilities is being used by a new threat actor, PuzzleMaker. PuzzleMaker uses a chrome V8 type confusion vulnerability (CVE-2021-21224), which allows the attacker to execute an arbitrary code via a crafted HTML page. This elevation of privilege (EoP) exploit is then used by the PuzzleMaker to get into windows 10 using the information disclosure vulnerability(CVE-2021-31955) and the heap buffer overflow vulnerability (CVE-2021-31956).

The Techniques used by the PuzzleMaker include:
T1543 – Create or Modify System Process
T1189 – Drive-by Compromise
T1059 – Command and Scripting Interpreter
T1055 – Process Injection
T1134 – Access Token Manipulation
T1057 – Process Discovery
T1203 – Exploitation for Client Execution
T1215 – Kernel Modules and Extensions

Vulnerability Details

Indicators of Compromise

Type Value
Files %SYSTEM%\WmiPrvMon.exe
%SYSTEM%\wmimon.dll
MDS Hash 09a5055db44fc1c9e3add608efff038c
d6b850c950379d5ee0f254f7164833e8
SHA-1 Hash bffa4462901b74dbfbffaa3a3db27daa61211412
e63ed3b56a5f9a1ea5c92d3d2444196ea13be94b
SHA-256 Hash 982f7c4700c75b81833d5d59ad29147c392b20c760fe36b200b541a0f841c8a9
8a17279ba26c8fbe6966ea3300fdefb1adae1b3ed68f76a7fc81413bd8c1a5f6
Domain media-seoengine.com

Patch Links

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31956

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955

https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html

References

https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/

https://otx.alienvault.com/pulse/60c088d3fd6e59ee86c1b78b