Google researchers have detailed a sophisticated hacking operation that uses vulnerabilities in Chrome and Windows to install malware on Android and Windows devices.
Some exploits are zero-day, meaning they target vulnerabilities that are unknown at the time to Google, Microsoft, and most outside researchers (both companies have closed security flaws). The hackers deliver exploits through tunneling attacks, which compromise sites frequently accessed by interested targets and lace the sites with code that installs malware on visitors’ machines. boobytrapped sites use two exploit servers, one for Windows users and the other for Android users.
Not your average hackers
Using zero-day and complex infrastructure is not in itself a sign of sophistication, but it shows above-average skill by a professional group of hackers. Combined with the power of the attack code—which combines multiple exploits in an efficient manner—the campaign demonstrates that the “super actor” is doing it.
“These exploit chains are designed for efficiency and flexibility through their moderation,” said a researcher with Google’s Project Zero exploit research team wrote. “They have well-engineered, complex code with many novel exploits, mature logging, sophisticated and post-exploitation techniques, and high levels of anti-analytical and target checks. We believe that teams of experts have designed and developed these chains of abuse. “
The modularity of the payloads, exchangeable exploit chains, and logging, targeting, and development of the service also set the campaign apart, the researcher said.
The four zero days they use are:
- CVE-2020-6418-Chrome vulnerability in TurboFan (fixed February 2020)
- CVE-2020-0938– Font Vulnerability on Windows (as of April 2020)
- CVE-2020-1020– Font Vulnerability on Windows (as of April 2020)
- CVE-2020-1027– Windows CSRSS vulnerability (as of April 2020)
The attackers allowed remote code execution by exploiting Chrome’s zero-day and several recent Chrome vulnerabilities. All zero-days are used against Windows users. None of the attack chains targeting Android apps used zero-days, but Project Zero researchers say it’s possible the attackers had Android zero-days at their disposal.
The image below provides a visual overview of the campaign, which took place in the first quarter of last year:
In all, Project Zero published six chapters detailing the exploits and post-exploitation payloads found by the researchers. Other parts of the line a Chrome unlimited bugthem Chrome exploitthem Android exploitsthem post-Android exploit payloadsand the Windows exploits.
The aim of the series is to help the security community in general more effectively combat complex malware operations. “We hope this blog post series provides others with an in-depth look at abuse from a real-life, veteran, and presumably well-resourced actor,” Project Zero researchers wrote.