The attacker is using Windows 0 day vulnerability attacks in North America more than 100 companies-vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2017-3/201732715714782. png? www. myhack58. com)
Write in front of words
FireEye’s Mandiant released on Tuesday, the 2017 M-Trends research report, the report data is based on the company of real attacks analysis. The report noted that in the past few years with the hacker technology continues to develop, a lot of economic interests for the purpose of the hacker gang becomes more and more complex, and some criminal gangs of the technical level has reached the National hack of the height.
In 2013 ago, security experts will most cybercriminals were hacking event called“smash and grab”attacks, in this attack the criminals will hardly hide their activities trail, and will continue from the target system to steal data. And after 2013, to economic benefits for the purpose of the attacker with the National hack the boundaries between are becoming increasingly blurred, and many criminal organizations, hackers technical level has to do with nation hack par. Prior to the economic interests for the purpose of the hack using the WebShell, use Perl2Exe to compile malicious code, and a remote C&C server, and now they will according to the target characteristics of the system to develop targeted custom back door, and use the legitimate website to complete C&C communications.
! [](/Article/UploadPic/2017-3/201732715714431. png? www. myhack58. com)
Mandiant security researchers in the 2016 discovery, many of the attacks are more or less and enable the malicious macro file about. In these attack scenarios, the attacker will be in the email or malicious file embedded in the instructions to try to trick the user to open the macro, some of the attackers even to the target user on the phone and through social work techniques to convince them to enable macros.
Wherein, the retailers became their biggest target. This is not only because the attacker can from them get huge benefits, but also their network system safety factor is very low. Since many of the retailer’s network system does not segment isolated, when the attacker successfully infected the PoS system, they will be able to destroy retailers throughout a PCI environment.
Because the attacker can from attack to profit, so they will naturally in this area under high power. In the FireEye investigation together with the attack, the hacker gang using a Windows System The 0 day exploits over a hundred companies computer system and successfully achieve the mentioned rights. In addition, they also use a very complex technology escaped the security product detects and achieve a persistent infection, and one of the most interesting technology is in theoperating systembefore the start by modifying the volume boot record VBR to load the back door. Next, we will give you a detailed analysis about this Windows 0 day vulnerability, and the attacker of the use of technology.
Event background
2016 3 months, one with economic interests for the purpose of hacking groups for retailers, restaurants, and hotels launched numerous targeted phishing attacks. Through the researchers to the analysis, phishing emails contain embedded macro of the malicious Word document, when the user enable the macro after it will automatically download and execute a malicious file to download the report as a PUNCHBUGGY is.
PUNCHBUGGY is a DDL（Dynamic Link Library File Download controller, with 32-bit and 64-bit versions, it can be through HTTPS, obtain additional code. The attacker will by the download controller to with an infected system interaction, and try to infect the same network environment of the other system.
FireEye found that North America has more than a hundred companies became such an attack the victims. FireEye on which many incidents were investigated, and found that the attacker uses an unknown mention the right vulnerability, and the POS machine memory extraction tool PUNCHTRACK it.
CVE-2016-0167: Windows System 0 day mention the right vulnerability
In some attack scenarios, the criminals are using a previously unknown Windows provide the right to exploit selective access to a large number of the infected device with SYSTEM privileges.
! [](/Article/UploadPic/2017-3/201732715714241. png? www. myhack58. com)
We found this problem after immediately the vulnerability information reported to Microsoft, and Microsoft is also in the 2016 year 4 month 12 day released the corresponding repair patch（MS16-039 in.
Attacker information
We believe that the use of this vulnerability to attack the criminal organizations certainly are economic interests as the main purpose of the attacker. In the last year, we found only one organization used this similar attack techniques and strategies, but also only this one organization used the Downloader PUNCHBUGGY and POS malware PUNCHTRACK it. Note that, PUNCHTRACK by a highly confused the launcher loaded, but the loader is not in the target system save.
This hack organizations are generally large-scale attacks, not only attack very fast, and the efficiency is very high, they will be based on the attack target to develop specific exploit code, and through preliminary investigation to modify is sent to the target user of the phishing emails.
Exploit details
Win32k! xxxMNDestroyHandler Use-After-Free
CVE-2016-0167 is a presence in the win32k Windows graphics subsystem local to mention the right vulnerability, one can achieve remote code execution RCE to the attacker will be able to take advantage of this vulnerability to achieve the mentioned rights. First, the attacker needs through a phishing email attachment document in a malicious macro to perform remote code execution, and then download and to STSTEM permissions to run CVE-2016-0167 exploit code.
Microsoft has in the 2016 year 4 month 12 days to fix the vulnerability CVE-2016-0167, so the attacker’s exploit code has been unable to in the updated system. Microsoft is also in the 2016 year 5 on 10 October released an additional update MS16-062）, and further enhance the system security to prevent similar attacks from happening again.
Vulnerability analysis
First, the exploit code will call the CreateWindowEx()method to create a main window, it will WNDCLASSEX. IpfnWndProc domain of the content delivery to a named WndProc function. Next, this function will use SetWindowsHookEx()or SetWinEventHook()method to install two hooks, we can put this two function hook called MessageHandler and EventHandler, that is, the message processor and the event processor.
Then, the exploit code will use a SetTimer()to create a timer IDEvent0x5678 when the timer timeout after the WndProc will receive the WM_TIMER message and call TrackPopupMenuEx()method to display a shortcut menu. Before the setting of the event processor MessageHandler will be from the TrackPopupMenuEx()to capture EVENT_SYSTEM_MENUPOPUPSTART event and the corresponding message is sent to the kernel. In the message processing process, the kernel will call the contains vulnerability exxxMNDestroyHandler()function, and this function will call the kernel mode of the message processor callback function, in this case the event handler in the call to DestroyWindow()will be triggered after the release UAF）vulnerabilities.

[1] [2] next