Kaspersky research team reported a new treat actor whom they dubbed “PuzzleMaker” for its method of chaining multiple exploits and malware modules.
None of the artifacts they analyzed have ties to known threat actors. Therefore, the Kaspersky team concluded PuzzleMaker is a new type of threat actor.
According to security vendor Kaspersky, PuzzleMaker hackers have already targeted multiple companies globally by exploiting Google Chrome and Windows 10 zero-day exploits in a highly-targeted way. The attacks carried out by PuzzleMaker were first spotted in mid-April.
Once the system is compromised, the attackers can execute a more complex malware payload from a remote server. To execute arbitrary code, the attackers exploited a Windows Notification Facility and the Windows 10 vulnerability CVE-2021-31956. This code was four additional malware modules, which are dubbed as Stager, Service, Remote shell, and Dropper.
“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.
This dropper installs two executables which are disguised as legitimate files for Microsoft Windows. The second of these two is a remote shell module, which can download and upload files, and can also execute processes and sleep.
Kaspersky antivirus solutions detect these malware modules with the verdicts PDM:Exploit.Win32.Generic, PDM:Trojan.Win32.Generic, and UDS:DangerousObject.Multi.Generic.
This is not the first time that a Chrome zero-day exploit chain was used in the wild in recent months. Earlier this year, a group of hackers attacked Windows, iOS, and Android users with 11 zero-day exploits, Google’s Project Zero reported.