PowerPool Backdoor Trojan [Via CVE-2018-8440]
PowerPool is a newly observed backdoor trojan exploiting the recently disclosed Windows ALPC vulnerability (CVE-2018-8440) to target users throughout Europe, North America and Asia.
It affects Microsoft Windows from Windows 7 to Windows 10, and in particular the Advanced Local Procedure Call (ALPC) function, and allows a Local Privilege Escalation (LPE). LPE allows an executable or process to escalate privileges. In that specific case, it allows an executable launched by a restricted user to gain administrative rights.
At the time of publication, PowerPool is delivered via spam or phishing campaigns containing Symbolic Link (.slk) files. When opened, these files can be automatically loaded by Microsoft Excel to execute a PowerShell script. This script then downloads and installs PowerPool.
Once installed on a device, PowerPool initiates a first-stage module that collects system information and performs network reconnaissance. It will then download and execute a secondary backdoor module that will attempt to gain persistence. Once this is achieved the threat actors use five open-source tools (FireMaster, PowerDump, PowerSploit, SMBExec and Quarks PwDump) to traverse the network.
CVE-2018-8440 | Windows ALPC Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC).
An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.
The update addresses the vulnerability by correcting how Windows handles calls to ALPC.
Indicators of Compromise
IP Addresses
- 27.102.106[.]149
URLs
- newsrental[.]net
- rosbusiness[.]eu
- afishaonline[.]eu
- sports-collectors[.]com
MD5 File Hashes
- 038f75dcf1e5277565c68d57fa1f4f7b3005f3f3
- 247b542af23ad9c63697428c7b77348681aadc9a
- 0423672fe9201c325e33f296595fb70dcd81bcd9
- b4ec4837d07ff64e34947296e73732171d1c1586
- 9dc173d4d4f74765b5fc1e1c9a2d188d5387beea
Resolution
Microsoft has provided a patch for this via Windows Update
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.