Security researchers discovered a new threat actor dubbed PuzzleMaker, which has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.
According to researchers, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims’ networks were compromised.
Computer memory maker ADATA hit by Ragnar Locker ransomware
Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.
Malware deployed with system privileges
The attackers abused the Windows Notification Facility (WNF) together with the CVE-2021-31956 vulnerability to execute malware modules with system privileges on compromised Windows 10 systems.
“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.
“This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS.