Zero-day Windows exploit used in espionage campaign

A newly discovered zero-day Windows vulnerability is being deployed in a highly targeted attack in Eastern Europe to conduct cyber espionage, according to security company ESET.

The local privilege escalation vulnerability in Windows 7 and Windows Server 2008 is being exploited by the well-known Buhtrap hacking group, according to ESET, which discovered the zero-day exploit.

Buhtrap is infamous for targeting financial institutions and businesses in Russia, but appears to have pivoted towards conducting cyber espionage. This is also the first time ESET researchers have observed Buhtrap using a zero-day exploit in an attack campaign.

The exploit manipulates pop-up menu objects to abuse a NULL pointer dereference in the win32k.sys component of unpatched Windows 7 Service Pack 1 and various Windows Server 2008 products.

Microsoft has already released a patch for the vulnerability after it was reported to the Microsoft Security Response Center.

Buhtrap malware was discovered in government institutions in December 2015, a few months before the malware source code was leaked online. ESET researcher Jean-Ian Boutin said this has led the company to conclude that Buhtrap has been changing its targets to include espionage in Eastern Europe and Central Asia.

“It’s always difficult to attribute a campaign to a particular actor when their tools’ source code is freely available on the web. However, as the shift in target occurred before the source code leaked, ESET assessed with high confidence that the same people behind the first Buhtrap malware attacks against businesses and banks are also involved in the targeting of governmental institutions,” he said.

“It’s unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward.”

Image credit: ©stock.adobe.com/au/Sergey Nivens