In May of 2020, Kaspersky identified and stopped an attack on a South Korean business. This particular attack leveraged two previously undisclosed zero-day vulnerabilities in Internet Explorer and Windows.
- CVE-2020-0986 – Elevation of privilege exploit
- CVE-2020-1380 – Use-after-free vulnerability
CVE-2020-1380 is one of four recently discovered vulnerabilities in jscript.dll. This particular exploit references already freed memory to execute code and in this case, load a second stage DLL. The second stage DLL is a reflective loader that drops an exe called “ok.exe” into a temporary folder and executes it. Ok.exe takes advantage of CVE-2020-0986, which is related to the Print Spooler API, in order to elevate privileges. Kaspersky believes that these attacks are attributed to the DarkHotel threat group.
Analyst Notes
As both exploits have been patched, Binary Defense recommends updating affected systems if possible. To defend against attacks against unpatched or unknown vulnerabilities, Binary Defense recommends 24/7 monitoring of network and endpoint events generated by Endpoint Detection and Response (EDR) solutions, or partnering with a managed security services provider such as Binary Defense’s Security Operations Task Force. Several of the actions taken by this malware would get detected by the Binary Defense SOC, including the encoded PowerShell used in the second stage loader.
Source:
Internet Explorer and Windows zero-day exploits used in Operation PowerFall
