Writing advanced malicious software for a threat actor requires different groups of people with diverse technical expertise to put them all together. But can the code leave enough clues to reveal the person behind it?
To this end, cybersecurity researchers on Friday detailed a new methodology to identify exploiting writers who use their unique features like fingerprints to track other sports they have developed.
Using this technique, the researchers connected 16 Windows local privilege escalation (LPE) exploits with two zero-day vendors “Volodya” (formerly known as “BuggiCorp”) and “PlayBit” (or “luxor2008”).
“Instead of focusing on total evil and hunting for new samples from the family or the evil actor, we wanted to offer another perspective and decided to focus on these few functions written by an exploitation developer,” Itay Cohen and Eyal by Check Point Research Itkin pointed out.
Fingerprinting Features of Exploitation Author
The idea, in a nutshell, is the exploitation fingerprint of specific artifacts that can uniquely tie it to a developer. It could be when using hard code values, string names, or even how the code is organized and some functions are implemented.
Check Point said their analysis began in response to a “complex attack” against one of its customers when they came across a 64-bit malicious software operator that took advantage of CVE-2019-0859 to gain higher privileges.
Noticing that the exploitation and malicious software were written by two different sets of people, the researchers used the properties of the binary as a unique hunting signature to find at least 11 other sports developed by the same developer called “Volodya” (or “Volodimir”).
“Finding a vulnerability, and reliably exploiting it, is likely to be done by specific teams or individuals who specialize in a particular role. The malicious software developers are not really worried about how it works behind the scenes, they just want to integrate this [exploits] module and be done with it, “the researchers said.
Interestingly, Volodya – likely of Ukrainian origin – has previously been linked with selling Windows zero days to cyberespionage groups and crime gangs for anywhere between $ 85,000 and $ 200,000.
Chief among them was the exploitation of LPE that triggered memory corruption in “NtUserSetWindowLongPtr” (CVE-2016-7255), which was widely used by ransomware operators such as GandCrab, Cerber, and Magniber. Volodya is now thought to advertise this LPE zero day on Exploit.in’s cyber-crime forum in May 2016.
In total, it was noted that five one-day and six-day sports were developed by Volodya over the period 2015-2019. Subsequently, the same technique was used to identify five other LPE exploits by another exploitation writer called PlayBit.
Noting the shared code level similarity exploitation samples to grant SYSTEM privileges to the desired process, the researchers said, “both of our actors were very consistent in their respective exploitation practices, each adhering to their favorite way.”
What’s more, Volodya also seems to have changed its tactics in the intervening years, with the developer moving from selling the exploits as source code that can be embedded in the malicious software to external utilities that accept APIs specific.
Apart from ransomware groups, Volodya has been found to cater to extensive customers, including Ursnif’s banking trojan, and APT groups like Turla, APT28, and Buhtrap.
“Customers of APT, Turla, APT28, and Buhtrap, are all commonly attributed to Russia and it is interesting to find that even these advanced groups are buying feats instead of developing them in-house,” he observed Check Point in his analysis. “This is another point that further strengthens our presumption that the written exploits can be treated as a separate and unique part of the malicious software.”
With cyberattacks expanding in scope, frequency, and size, using an exploitation developer code signature as a means to track down bad actors could provide valuable insight into the black exploitation market.
“When Check Point detects a vulnerability, we show its severity, report it to the appropriate vendor, and make sure it’s patched, so it’s not a threat,” Cohen said. “However, for individuals trading these sports, it’s a completely different story. For them, finding the vulnerability is just the beginning. They need to use it reliably on so many fronts.” versions as possible, in order to monetize it for customer satisfaction. “
“This research provides insight into how that is achieved, and the buyers in this market, which often include state actors. We believe this research methodology can be used to identify exploitation writers additional. “