2 0 1 6 years 3 month, there has been a batch of economic motivation to the retail, Foodservice and hospitality industry as the target of the attack, these attacks, the message contains a large number of with embedded macros of the Microsoft Word document, once downloaded it will execute a named PUNCHBUGGY download.
PUNCHBUGGY is a Dynamic Link Library Downloader, contains the 3 2 and 6 4-bit version, and can be over HTTPS to obtain additional code. In this attack, the attack use the downloads controller with the controlled system to interact, and in the victim's environment movement.
FireEye identified more than 1 0 0 South America of the tissue affected by the attack of the spread of. FireEye investigated which part of the discovery used in the attack a relatively Mature tool, which contains a previously unknown mention the right vulnerability, EoP use and a named PUNCHTRACK POS memory crawlers
CNNVD-2 0 1 6 0 4-2 4 4, THE CVE-2 0 1 6-0 1 6 7-The WindowsZero-Day Local mention the right vulnerability
In some victims the environment, the attacks using a Microsoft Windows on the previously unknown EoP, selective access to a limited number of compromised machines in the system permissions:
Microsoft in 2 0 1 6 4 1 2 Number released this vulnerability patch. The survey found that, for the vulnerability with the purpose of use can be traced back to the 2 0 1 6 years 3 months 8 days.
Researchers will this attack characterized as comprising the economic motives of action. Last year, security personnel to detect not only to the organization using a similar infrastructure and TTP technology, tactics and procedures, and it is the only one using PUNCHBUGGY download and POS malware PUNCHTRACK organization. Used to collect Track 1 and Track 2 Payment Card data PUNCHTRACK by means of the height of the confusion the launcher is loaded and executed, and is never stored on disk.
The attack of the large-scale and high-frequency rate of the display shows operational awareness and the ability to a high level, and purpose of the EoP use and targeted phishing e-mail then the attacker has a high operational maturity and complexity.
Win32k! xxxMNDestroyHandler after the release reuse
CVE-2 0 1 6-0 1 6 7 is win32k Windows Graphics subsystem local to mention the right vulnerability. Have to get remote code execution privileges, the attacker can use this vulnerability to elevate privileges. In this attack, the attacker first by means of attached to the phishing e-mail the document in malicious macro use the vulnerability to gain remote code execution privileges, and then download and run the CVE-2 0 1 6-0 1 6 7 Using to to system permission to execute the subsequent code.
Microsoft in 2 0 1 6 4 1 2 published on the CVE-2 0 1 6-0 1 6 7 patch, which means the attacker in the upgrade of the system for the exploits will no longer work. In addition, Microsoft in 2 0 1 5 year 5 month 1 0 day released another Bulletin MS16-0 6 2, improves Windows to withstand such events the ability.
Vulnerability of mechanisms
First, the use will call the CreateWindowEx()function creates a main window. It will WNDCLASSEX. lpfnWndProc field is passed to the named WndProc function, respectively, and then use SetWindowsHookEx()or SetWinEventHook()function installs an application-defined hooks named MessageHandler and the event hooks naming for the EventHandler to.
Next, use SetTimer()in the IDEvent of 0×5 6 7 8 creating a timer. Time runs out, the WndProc will receive the WM_TIMER message, and call TrackPopupMenuEx()to display the shortcut menu. The EventHandler from the xxxTrackPopupMenuEx()function to capture EVENT_SYSTEM_MENUPOPUPSTART the event and to the kernel to send a message. In processing the message, the kernel will use the vulnerable function xxxMNDestroyHandler (), use user mode callback MessageHandler。 MessageHandler by calling the DestroyWindow()cause the release of after reuse.
The use of the use SetSysColors()to perform heap Feng Shui through a specially crafted heap allocation to manipulate the heap layout. In the following illustration of the code snippet, which is a very important is the address fffff900
c1aaac40, representing fffff900c06a0422 is the window kernel objects tagWND the base address plus 0×2 of 2:
USE the action occurs in the figure of the HMAssignmentUnlock()+0×1 4: The
RDX contains tagWND the base address plus 0×2 2, The instruction will be 0xffffffff to add to the win32k! tagWND. the state field, the value from 0×0 7 0 0 4 0 0 0 changes to 0x07003fff it. 0×0 7 0 0 4 0 0 0 indicates bServerSideWindowProc flag is not set. When changed, it is as follows figure set bServerSideWindowProc: the
If a window labeled server-side set bServerSideWindowPro, the lpfnWndProc function pointer by default trusted, and is a user-mode shellcode to. The following traceback shows the kernel calls the use of shellcode to the process:
The shellcode to steal System process token is used to provide the right cmd. exe sub-process.
FireEye products and services will be the attack identified as a Trojan. doc. MVX and Malware.Binary.Doc and PUNCHBUGGY, Malware. Binary. exe and PUNCHTRACK it.
The latest Windows update fixes CVE-2 0 1 6-0 1 6 7, comprehensive protection for CVE-2 0 1 6-0 1 6 7 attack.
In addition, to prevent the use of the Office macro social engineering attacks can also be effective to alleviate the vulnerability. Individual users can be disabled in Settings Office macros, Enterprise Administrators can enforce a Group Policy Strategy to control all Office 2 0 1 6 The user of the macro execution. Want to learn more Office macro attack and relieve please click.