Kaspersky Warns About New Treat Actor "PuzzleMaker" Chaining 10 Exploits & 4 Malware Modules

Kaspersky Warns About New Treat Actor “PuzzleMaker” Chaining 10 Exploits & 4 Malware Modules

Kaspersky research team reported a new treat actor whom they dubbed “PuzzleMaker” for its method of chaining multiple exploits and malware modules.

None of the artifacts they analyzed have ties to known threat actors. Therefore, the Kaspersky team concluded PuzzleMaker is a new type of threat actor.

According to security vendor Kaspersky, PuzzleMaker hackers have already targeted multiple companies globally by exploiting Google Chrome and Windows 10 zero-day exploits in a highly-targeted way. The attacks carried out by PuzzleMaker were first spotted in mid-April.

To penetrate targeted systems, the campaign used a vulnerability in Google Chrome’s V8 JavaScript engine, researchers wrote. Next, PuzzleMaker exploited two critical flaws in Windows 10. The elevation of privilege exploit was custom-tailored to target the two flaws in the latest versions of the OS (CVE-2021-31955 and CVE-2021-31956; both patched in the June Patch Tuesday). All in all, attackers chained 10 exploits.

Once the system is compromised, the attackers can execute a more complex malware payload from a remote server. To execute arbitrary code, the attackers exploited a Windows Notification Facility and the Windows 10 vulnerability CVE-2021-31956. This code was four additional malware modules, which are dubbed as Stager, Service, Remote shell, and Dropper.

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.

This dropper installs two executables which are disguised as legitimate files for Microsoft Windows. The second of these two is a remote shell module, which can download and upload files, and can also execute processes and sleep.

Kaspersky antivirus solutions detect these malware modules with the verdicts PDM:Exploit.Win32.Generic, PDM:Trojan.Win32.Generic, and UDS:DangerousObject.Multi.Generic.

This is not the first time that a Chrome zero-day exploit chain was used in the wild in recent months. Earlier this year, a group of hackers attacked Windows, iOS, and Android users with 11 zero-day exploits, Google’s Project Zero reported.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.