Searching Exploits through on the lookout for the Creator’s fingerprints: Graphology of an Exploit


Check Point Software profile pictureCheck Point Software profile picture

@checkpointTest Level Instrument

Welcome to the Long run of Cyber Safety. Offering answers throughout all vectors to forestall fifth era cyber assaults.

Prior to now months, our Vulnerability and Malware Analysis groups joined efforts to concentrate on the exploits throughout the malware and in particular, at the exploit writers themselves. Ranging from a unmarried Incident Reaction case, we constructed a profile of one of essentially the most energetic exploit builders for Home windows, referred to as “Volodya” or “BuggiCorp”. Up till now, we controlled to trace down greater than 10 (!) in their Home windows Kernel Native Privilege Escalation (LPE) exploits, a lot of that have been zero-days on the time of building.


Our tale starts, as all just right tales do, with an incident reaction case. When inspecting a sophisticated assault towards one of our consumers, we spotted an excessively small 64-bit executable that was once carried out through the malware. The pattern contained atypical debug strings that pointed at an try to exploit a vulnerability at the sufferer device. Much more importantly, the pattern had a leftover PDB trail which proclaimed loud and transparent the function of this binary: …cve-2021-0859x64ReleaseCmdTest.pdb. With the absence of any on-line useful resource with this implementation of CVE-2021-0859, we learned that we aren’t having a look at a publicly to be had PoC, however relatively a real-world exploitation instrument. This intrigued us to dig deeper.

Opposite-engineering the exploit was once lovely simple. The binary was once small, and the debug messages have been there to lead us. It exploited a use-after-free (UAF) vulnerability in CreateWindowEx to realize increased privileges to the guardian task. We briefly made a fascinating remark: it gave the impression of the exploit and the malware itself weren’t written through the similar other people. The code high quality, loss of obfuscation, PDBs, and timestamps, all pointed to this conclusion.


Determine 1: A choice to CreateWindowEx, as can also be noticed in Cutter.

Exploits Distribution 101

We have a tendency to have a look at the folks in the back of a particular malware circle of relatives as one unbroken unit. It’s more straightforward to check that every element was once written through a unmarried individual, group, or workforce. Fact is, writing complicated malware, through geographical regions or criminals, comes to other teams of other people with quite a lot of talents. A cyber-espionage group of a countryside, is prone to have masses and even 1000’s of workers in numerous teams and branches. Each and every employee within the group has a particular function, fine-tuned through particular technological coaching and years of experience. In such a company, the workload of writing the average elements is damaged down amongst specialised groups, with other ones liable for the preliminary get right of entry to, gathering delicate knowledge, lateral motion, and extra.

An operational entity whose function is to embed an exploit module in its malware can’t depend on malware builders by myself. Discovering a vulnerability, and reliably exploiting it, will most certainly be executed through particular groups or people who concentrate on a specific function. The malware builders for his or her section don’t truly care the way it works in the back of the scenes, they simply wish to combine this module and be executed with it.

For this department of work to paintings, each groups wish to agree on some API that would be the bridge between the other elements. This integration API isn’t distinctive to state actors, however is a not unusual function within the “unfastened marketplace” of exploits. Whether or not it comes to underground boards, exploit agents, or offensive cyber corporations, all of them supply their consumers with directions on how one can combine the exploit of their malware.

In essence, this integration level is the important thing facet that we want to focal point on in our analysis. Assuming that exploit authors paintings independently, and simplest distribute their code/binary module to the malware authors, we determined to concentrate on them for a metamorphosis. Through inspecting the exploits embedded in malware samples, we will be told extra in regards to the exploit authors, confidently distinguishing between them through learning their coding behavior and different fingerprints left as clues on their identification, when distributing their merchandise to their malware writing opposite numbers.

Fingerprinting Exploit Builders

As an alternative of specializing in a complete malware and looking for new samples of the malware circle of relatives or actor, we would have liked to supply some other standpoint and determined to pay attention to those few purposes that have been written through an exploit developer. Having this small 64-bit binary from the incident reaction case appeared like a promising get started.

The binary did not anything rather than exploiting CVE-2021-0859 and wasn’t in line with a source-code or a POC that was once shared publicly. It made an ideal candidate for us to fingerprint, because the executable was once subtle from code written through anyone rather than the exploit writer. Additionally, the executable was once separated from the principle binary of the malware, an notorious crimeware, which made us imagine that this exploit wasn’t evolved in-house through the malware builders. With this hope, we got down to to find extra exploits written through the similar writer.

We began through accumulating easy artifacts from the binary we already had: strings, interior document title, timestamps, and the PDB trail. The primary outcome got here in an instant — a 32-bit executable that was once a precise fit to the 64-bit pattern. In particular, as their timestamps and embedded PDB trail confirmed, they have been compiled in combination, on the similar time and from the similar supply code. Now that we had those two samples, we have been in a position to formulate what we must search for.

To fingerprint the writer of this exploit, we set our attractions at the following:

1. Distinctive artifacts within the binaries

  • Laborious-coded values (Crypto constants, “rubbish” values equivalent to 0x11223344)
  • Knowledge tables (Generally version-specific configurations)
  • Strings (GDI object names: “MyWindow”, “MyClass_56”, “findme1”, …)
  • PDB trail

2. Code snippets

  • Distinctive implementation of purposes
    ○ Syscall wrappers
    ○ Inline meeting
    ○ Proprietary crypto purposes / implementations
  • Tactics and behavior
    ○ Most well-liked leaking methodology (HMValidateHandle, gSharedInfo, and so forth.)
    ○ Most well-liked elevation methodology (How is the token substitute carried out?)
    ○ Heap spraying methodology (The usage of AcceleratorTables? Home windows? Bitmaps?)
  • Framework
    ○ The drift of the exploits
    Choice #1: Primary exploit drift with nearly no side-branches
    Choice #2: A couple of twists and knobs for various variations of the OS
    ○ The construction of the code and purposes in it
    Modularity: Separation to purposes
    Construction: Separation to transparent stages (Init, config, spray, token change, …)
    International Variables: What knowledge is saved in world variables? (OS edition? OS edition enum? Only a particular box offset?)
    ○ Model-specific configurations:
    Box offsets: What fields are of particular hobby?
    Most well-liked device calls: Most well-liked set of syscalls
    ○ API supplied to the client

Determine 2: The set of exploit-related artifacts that we will be able to be on the lookout for.

With those houses in thoughts, we regarded again on the two samples we had and marked some artifacts we idea have been distinctive. Even if we had simplest two small binaries (that have been necessarily the similar) we have been in a position to create looking regulations to seek out extra samples written through this developer. To our wonder, we have been in a position to seek out extra of them than we may have imagined.

One at a time, dozens of samples began appearing, and with every one, we progressed our looking regulations and methodologies. With a cautious research of the samples, we have been in a position to know which samples exploited which CVE, and in line with that created a timeline to know whether or not the exploit was once written as a 0-day earlier than it was once uncovered, or was once it a 1-day that was once carried out in line with patch-diffing and identical ways.

At this level, we had greater than 10 CVEs that we have been in a position to characteristic to the similar exploit developer, in line with our fingerprinting methodology by myself and with out additional intelligence. In a while, public stories printed the title of our goal exploit dealer: Volodya (a.okay.a Volodimir), up to now referred to as BuggiCorp. It appeared we weren’t the one ones to trace this exploit dealer, as Kaspersky (*3*)reported some related details about them on a number of events. As well as, ESET additionally discussed a few of Volodya’s incriminating trails of their VB2019 communicate about Buhtrap.

Consistent with Kaspersky, Volodya first made headlines beneath their “BuggiCorp” nickname, once they (*1*)marketed a Home windows 0-day on the market at the notorious Exploit[.]in cyber-crime discussion board with a beginning worth of $95,000. Around the years, the associated fee went up and a few in their Home windows LPE 0-day exploits have been offered at a worth as top as $200,000. As printed in Kaspersky’s file, and later showed through us, Volodya offered exploits to each crimeware and APT teams. We talk about the actor’s purchasers in additional element beneath the bankruptcy “The Shoppers”.

Our actor’s exploits

Even if a couple of of our preliminary looking regulations wanted some fine-tuning, even the fast effects we gained have been moderately sudden. After additional calibration, we controlled to seek out a large number of samples, all of that have been Native Privilege Escalation (LPE) exploits in Home windows. Out of those samples, we have been in a position to spot the next record of CVEs that have been exploited through our actor.

Facet be aware:

Right through the classification of the exploits, we selected to take a conservative manner when deciding if a given vulnerability was once exploited as a 0-Day or 1-Day. If different safety distributors attributed the in-the-wild exploit to our actor, then it was once a 0-Day. If we discovered enough proof that one of our samples is certainly the exploit circulating within the wild, precisely as was once described through a seller of their file, then we additionally flagged it as such.

In all different instances, we marked the vulnerability as an exploited 1-Day, who prefer to have a decrease certain of the 0-Day rely as an alternative of mistakenly overshooting the proper quantity.


  • Classification: 1-Day
  • Elementary Description: Use-After-Unfastened in xxxSendMessage (tagPOPUPMENU)
  • 0-Day seller file: (*15*)FireEye
  • Discovered within the following Malware samples: Ursnif, Buhtrap

Our exploit samples use a distinct reminiscence shaping methodology than the one described within the preliminary file: spraying Home windows as an alternative of Accelerator Tables. As well as, our earliest and most elementary exploit pattern accommodates the next PDB trail, suggesting the writer already knew the CVE-ID for this vulnerability: “C:…volodimir_8c2CVE-2021-2546_VS2012x64ReleaseCmdTest.pdb”


  • Classification: 1-Day
  • Elementary Description: Uninitialized kernel pointer in WMIDataDevice IOControl
  • 0-Day seller file: N/A. Used to be by no means exploited as a 0-Day within the wild
  • Discovered within the following Malware samples: Ursnif

This exploit was once utilized in a unmarried pattern that still contained the up to now described exploit for CVE-2021-2546. This exploit is chosen if the objective is a Home windows edition previous than Home windows 8. Differently, CVE-2021-2546 is used.


  • Classification: 0-Day
  • Elementary Description: Use-After-Unfastened in Win32k!xxxMNDestroyHandler
  • 0-Day seller file: (*9*)FireEye.
  • Discovered within the following Malware samples: PUNCHBUGGY

Our exploit samples align completely with the technical file in regards to the in-the-wild exploit.


  • Classification: 1-Day
  • Elementary Description: Use-After-Unfastened in Win32k!xxxMNDestroyHandler
  • 0-Day seller file: Discovered through Kaspersky, however no file was once printed publicly
  • Discovered within the following Malware samples: Ursnif

This is a fascinating case. Our actor’s 0-Day (CVE-2021-0167) was once patched through Microsoft in April 2021. The similar patch additionally fastened CVE-2021-0165 which was once extensively utilized within the wild. In search of a brand new vulnerability to take advantage of, our actor more than likely patch-diffed Microsoft’s fixes and located a vulnerability that they idea was once the patched 0-Day. This vulnerability originates within the patched serve as used of their earlier vulnerability: Win32k!xxxMNDestroyHandler.

*We now have more than one indications from their exploit samples for this vulnerability that both the exploit writer or a minimum of their consumers have been positive that they have been offered an exploit for CVE-2021-0165. The sorrowful fact is, after inspecting the exploit, we will say that the exploited vulnerability is a distinct one.


Determine 3: Debug string indicating the confusion round CVE-2021-0165, as can also be noticed in Cutter.

This confusion is more than likely because of the truth that Microsoft releases a unmarried repair that addresses more than one vulnerabilities, and they’re the one ones with the whole mapping between every code repair and the CVE that was once issued for it.


  • Classification: 0-Day
  • Elementary Description: Reminiscence corruption in NtUserSetWindowLongPtr
  • 0-Day seller file: Reported through Google, a technical file through (*2*)TrendMicro
  • Discovered within the following Malware samples: Attributed to APT28 (aka Fancy Undergo, Sednit). Used later through Ursnif, Dreambot, GandCrab, Cerber, Maze

Our exploit samples align completely with the technical file in regards to the in-the-wild exploit. This particular exploit was once later extensively utilized by other ransomware actors. As well as, we’ve noticed different exploits for this particular vulnerability that have been offered as 1-Days to different ransomware actors as smartly.

Be aware: We now have more than one circumstantial proof to imagine that this 0-Day was once the one that was once discussed through BuggiCorp within the (*5*)well-known advert posted to the exploit[.]in discussion board in Would possibly 2021.


  • Classification: 1-Day
  • Elementary Description: Use-After-Unfastened in RemoveFontResourceExW
  • 0-Day seller file: N/A. Used to be by no means exploited as a 0-Day within the wild
  • Discovered within the following Malware samples: Attributed to Turla. Later utilized by Ursnif

Used as a 1-Day in operations attributed to Turla ((*11*)FireEye).


  • Classification: 0-Day
  • Elementary Description: Use-After-Unfastened in win32k!xxxDestroyWindow
  • 0-Day seller file: (*4*)ESET
  • Discovered within the following Malware samples: Attributed to APT28 (aka Fancy Undergo, Sednit)

Our exploit samples align completely with the technical file in regards to the in-the-wild exploit.


  • Classification: 1-Day
  • Elementary Description: Double Unfastened in win32k!xxxTrackPopupMenuEx
  • 0-Day seller file: N/A. Used to be by no means exploited as a 0-Day within the wild
  • Discovered within the following Malware samples: Magniber

As soon as once more, figuring out the used 1-Days is generally more difficult than figuring out 0-Days. This time, we couldn’t to find any pattern that may trace as to what was once the vulnerability the actor idea they have been exploiting.

*We recognized that this particular vulnerability was once patched through Microsoft in December 2021. After scanning the record of vulnerabilities that have been addressed on this patch, we’re lovely positive that Microsoft categorized this vulnerability as CVE-2021-8641, however we will’t know evidently.

Replace: On June 24, 2021 Kaspersky printed of their weblog an research of exploits dispensed in the course of the Magnitude exploit package. Of their weblog put up, Kaspersky analyzed the LPE exploit utilized by Magniber, attributed it to Volodya and estimated it’s more than likely CVE-2021-8641. This unbiased conclusion on behalf of Kaspersky strengthens our preliminary estimate.


  • Classification: 0-Day
  • Elementary Description: Use-After-Unfastened in CreateWindowEx
  • 0-Day seller file: Kaspersky
  • Discovered within the following Malware samples: Used as a standalone element to be injected or loaded. We couldn’t characteristic it to any particular APT/malware.

Our exploit samples align completely with the technical file in regards to the in-the-wild exploit. Our analysis began with a unmarried pattern of this exploit that was once present in a buyer’s community. In one of the samples we discovered afterward, shall we see this transparent PDB string: “X:equipment0day09-08-2021x64ReleaseRunPS.pdb”, as opposing to the PDB string in our preliminary pattern: “S:WorkInjectcve-2021-0859ReleaseCmdTest.pdb“.


  • Classification: 0-Day
  • Elementary Description: NULL pointer dereference at win32k!xxxMNOpenHierarchy (tagPOPUPMENU)
  • 0-Day seller file: ESET
  • Discovered within the following Malware samples: Attributed to Buhtrap

*We now have more than one causes to imagine that this was once some other 0-Day exploit from Volodya, as more than one technical main points within the file fit their standard techniques of exploitation. As well as, the exploit reported having the next PDB trail embedded in it: “C:paintingsvolodimir_65…pdb”. Alternatively, that is the one exploit in our record that we have got no longer but discovered a pattern of, and so we will’t ensure that in our attribution for this exploit.


  • Classification: 1-Day
  • Elementary Description: Reminiscence corruption in window switching
  • 0-Day seller file: Kaspersky ((*6*)Preliminary Document, (*16*)Detailed Document)
  • Discovered within the following Malware samples: Attributed to operation WizardOpium

Our exploit doesn’t align with the technical file in regards to the in-the-wild exploit. As well as, of their detailed file, Kaspersky famous that “it was once additionally attention-grabbing that we discovered some other 1-day exploit for this vulnerability simply one week after the patch, indicating how easy it’s to take advantage of this vulnerability.” And certainly, our pattern is dated to 6 days after Kaspersky’s preliminary file.

Vulnerabilities Abstract

Here’s a desk summarizing the vulnerabilities we’ve indexed:


The writer’s fingerprints

Now that we discovered greater than 10 other exploits from Volodya, we will evaluate them in larger element and familiarize ourselves with the actor’s paintings behavior. It was once transparent to us from the start that our actor more than likely has a easy template they deploy for the other exploits, because the serve as drift of every exploit, or even the order of the other purposes, have been shared between many of the exploits.

During this phase, we describe a number of key traits, that replicate the other implementation possible choices made through Volodya when growing the exploit template. We evaluate their implementation to that of some other exploit creator, recognized through the nickname PlayBit. Through this comparability we goal to stipulate the wide range of implementation choices which are found in every a part of the exploit, making every writer’s set of implementation possible choices a singular “signature” in their state of mind and dealing.

PlayBit (a.okay.a luxor2008)

The usage of the similar methodology we used to seek Volodya’s exploits, we controlled to trace down 5 Home windows LPE 1-Day exploits that have been written through PlayBit, along with different equipment that the writer offered right through the years. We began from a unmarried pattern, CVE-2021-8453 which is utilized by REvil ransomware, and used PlayBits’ distinctive fingerprints to hunt out extra exploits.

We discovered the next Home windows LPE exploits carried out as 1-days through this writer:

  • CVE-2021-3660
  • CVE-2021-0057
  • CVE-2021-1701
  • CVE-2021-7255 – This can be a 0-Day of Volodya
  • CVE-2021-8453

Technically, PlayBit additionally offered two exploits for CVE-2021-1069 (a SandboxEscaper vulnerability) and CVE-2021-0787. Alternatively, we forget about those exploits as they aren’t reminiscence corruption vulnerabilities, however relatively a vulnerability in numerous services and products, and as such have a distinct construction.

Be aware: A deeper research of PlayBit, and the other exploits they evolved and offered, might be launched in an upcoming weblog put up.

bool raise(int target_pid)

The API in all of Volodya’s exploit samples is all the time the similar. Irrespective of whether or not it was once embedded inside of a malware pattern, or was once a standalone POC, the exploit had a unmarried API serve as of the next signature:

bool raise(int target_pid)


Determine 4: Invoking the raise(target_pid) serve as, as can also be noticed in Cutter.

The exploit itself doesn’t come with any function for injecting shellcode into some other task or the rest fancy of this kind. It grants SYSTEM privileges to the specified task, taking not anything rather than its PID as an issue.


The first thing that the raise() serve as does, proper after it’s invoked through the malware, is to Sleep() for a continuing time frame of 200 milliseconds.


Determine 5: Beginning the exploit with a choice to Sleep(200), as can also be noticed in Cutter.

It isn’t completely transparent why the Sleep(200) is there within the template of the exploits. We suspect it’s to keep away from pointless instability, particularly as a result of these kinds of exploits are in line with timing (UAF, races). Subsequently, ready a twinkling of an eye for the I/O and reminiscence get right of entry to connected actions to finish may enhance steadiness. Because the exploits are a part of malware, all this malware-related code earlier than the exploit’s execution will motive a brief spike in CPU/disk/RAM, and it would make sense to let issues chill out a little earlier than shifting directly to the real exploit. For brief-term spike load (that naturally happens when beginning new processes, studying/writing recordsdata from disk, and so forth.), it must be sufficient to attend 200ms.

Even if we’ve spotted a metamorphosis on this development in the latest samples, this option can nonetheless be present in 9 of the exploits we’ve noticed.

Comparability to PlayBit: PlayBit doesn’t have such a function of their exploits.

OS Fingerprinting

Proper after waking from its good looks sleep, the exploit identifies and calibrates itself to the objective’s Home windows edition, with the intention to facilitate the improve for as many OS variations as imaginable. From our samples, it kind of feels that the writer queries the OS the usage of two ways:

Parsing ntdll.dll’s header

That is essentially the most repeatedly used methodology. A maintain into ntdll.dll is used to seek out the offset into the IMAGE_NT_HEADERS, from which the MajorOperatingSystemVersion and the MinorOperatingSystemVersion fields are parsed.


This system is generally used along side the former one and was once simplest utilized in samples from 2021 to the start of 2021. That is more than likely because of the truth that this API is now (*8*)deprecated.


Determine 6: Calling GetVersionExW() to get Home windows’s edition, as can also be noticed in Cutter.

In either one of those ways, the function is to question each the main and minor edition of the OS, and configure the exploit’s world variables accordingly.

Whilst maximum exploits improve a variety of Home windows variations, Volodya by no means turns out to care in regards to the particular provider pack of the objective, nor about whether or not this can be a Home windows server or no longer. Apart from the hobby in particular Home windows 10 construct variations, used simplest within the exploit for CVE-2021-1458, our actor simplest makes use of the main and minor variations, and that’s it.

Comparability to PlayBit: As soon as once more, GetVersionEx() is used, generally with a later further parsing of the main and minor numbers from the Procedure Setting Block (PEB) itself, as can also be noticed in Determine 7. Now not simplest is PEB used as an alternative of ntdll.dll, PlayBit additionally extracts more information from the GetVersionEx() output equivalent to the pc’s Carrier Pack, or even tests if the objective pc makes use of a server working device.


Determine 7: Extracting the main and minor variations from the PEB, as can also be noticed in Cutter.

This can be a transparent distinction within the modus operandi of each actors. Now not simplest do they extract the similar knowledge in numerous techniques, Volodya is all in favour of a long way much less knowledge than PlayBit, even if they each exploit the similar vulnerability (CVE-2021-7255).

Basically, each actors dangle detailed version-specific configurations from which they load the related knowledge as soon as the OS edition is decided. The primary distinction between the two is that the code drift in Volodya’s exploits infrequently is determined by the OS edition, whilst PlayBit comprises more than one twists and knobs the usage of quite a lot of if-checks that rely at the OS edition. This in flip impacts their other hobby within the actual edition main points.

Leaking Kernel Addresses

Within the overwhelming majority of exploits, the actor tunes the exploit the usage of a kernel-pointer-leak primitive. In all exploits except for CVE-2021-1458, this leak primitive is the well known (*7*)HMValidateHandle methodology.

HMValidateHandle() is an interior unexported serve as from user32.dll, this is leveraged through quite a lot of purposes equivalent to isMenu(), and can be utilized to get the kernel deal with of various Window items in all Home windows variations as much as Home windows 10 RS4. This system was once widely recognized and used even again in 2021, wherein maximum exploitation tutorials selected to in particular parse isMenu() to seek out the deal with of HMValidateHandle().

It’s sudden to peer that out of dozens of various purposes that may be used for locating HMValidateHandle(), the actor merely adopted the well known tutorials and selected to make use of isMenu() as smartly. It’s much more sudden to peer that this not unusual exploitation methodology nonetheless labored moderately smartly right through the years, giving the actor no incentive to take a look at to “conceal” through choosing a much less recognized serve as equivalent to CheckMenuRadioItem().

The leak provides us the next:

  • Kernel deal with of our window.
  • Kernel deal with of our THREAD_INFO (the pti box).

This data is utilized in a number of steps all through the exploit:

  • Addresses are used when pointing to / growing pretend kernel structs.
  • Ensuring our kernel deal with is a sound Unicode string (doesn’t include two consecutive ‘x00’ bytes).
  • The pti is used to find a sound EPROCESS, which is then used all through the Token Switch segment.

Comparability to PlayBit: PlayBit selected to put into effect this option by the use of direct get right of entry to to the user-mode Desktop Heap. Extra in this topic might be discovered someday weblog put up specializing in this actor.

Token Switch

Without equal function of the exploit is to grant SYSTEM privileges to the specified task, in step with the given PID argument. Historically, the best way to succeed in that is through changing the method’s token within the EPROCESS/KPROCESS construction with the token of the SYSTEM task.

Listed below are some not unusual ways for doing precisely that. You’d be stunned to peer what number of other choices there are for imposing this option.

The usage of Playstation* symbols

The Home windows kernel accommodates the next purposes and world variables for process-related capability:

  • PsLookupProcessByProcessId – Retrieves a pointer to the method’s EPROCESS
  • PsInitialSystemProcess – International variable maintaining a pointer to the SYSTEM’s EPROCESS.
  • PsReferencePrimaryToken – Returns a pointer to the main token of the method.

Through executing those purposes in kernel-mode, a given shellcode can simply find SYSTEM’s token, nevertheless it nonetheless doesn’t resolve the problem of how one can assign it within the required EPROCESS.

For this objective there are 2 not unusual answers:

  • At once get right of entry to the proper offset throughout the EPROCESS the usage of a version-specific offset.
  • Scan the EPROCESS searching for our personal pointer (recognized through the former name to PsReferencePrimaryToken) and exchange the access as soon as a fit is located.

This system calls for executing code in kernel-mode, and so might be blocked through the SMEP coverage, except an extra SMEP bypass is deployed.

Scanning the PsList

The typical choice for finding the EPROCESS of each the objective and SYSTEM processes, is to scan the doubly-linked task record, known as PsList. The stairs concerned on this methodology are:

  1. Find an preliminary EPROCESS (the usage of the leaked pti box).
  2. Scan the PsList searching for an EPROCESS with the objective PID.
  3. Scan the PsList searching for the EPROCESS of SYSTEM through on the lookout for a PID of 4, or a reputation of SYS*.
  4. Extract the token and position it within the matching offset within the goal task.
  5. Cautiously replace the reference rely of SYSTEM’s token.

Determine 8: Volodya exploit the usage of an Arbitrary-Learn primitive in seek for SYS*, as can also be noticed in Cutter.

This system calls for the offset to each the main token and the LIST_ENTRY for the PsList, just about mandating that they’re each saved as a part of a version-specific configuration.

The foremost benefit of this system is that whilst it could actually nonetheless be carried out as a easy shellcode in kernel-mode (as executed within the exploit of CVE-2021-0263), it may also be carried out totally in user-mode. To take action, you wish to have two exploit primitives, one for an Arbitrary-Learn (from kernel-space) and the opposite for an Arbitrary-Write (into kernel-space). Operating in user-mode solves the problems we detailed earlier than with reference to SMEP, rendering this coverage unnecessary towards such exploit primitives.

Because the token is a reference-counted object, you will need to correctly check in the reference that was once simply added with the intention to keep away from a Blue-Display-Of-Demise (BSOD) when the increased task terminates. If truth be told, there are two other reference counts:

  • The token is an EX_FAST_REF object – the decrease pointer bits are used as a ref-count.
  • An OBJECT_HEADER is saved earlier than the token, maintaining but some other ref-count.

As out actor selected to replace the latter ref-count box, the next steps might be wanted:

  1. Masks out the ref-count bits from the token’s pointer – must be aligned to 8 bytes on 32-bit processes, and 16 bytes on 64-bit processes.
  2. Subtract the consistent wanted so as to level at OBJECT_HEADER’s ref-count box.
  3. Learn the price (the usage of an Arbitrary-Learn exploit primitive).
  4. Increment it accordingly.
  5. Write again the up to date worth.

Alternatively, as can also be noticed in Determine 9, we discovered the next worm in all the 32-bit exploits that contained this option:


Determine 9: An implementation worm within the reference-count replace utilized in 32-bit exploits.

The alignment masks when studying the reference-count worth is an alignment to 8 bytes, whilst a other masks is used when writing again the up to date worth. If the token might be saved in a reminiscence deal with this is aligned to 8 bytes and isn’t aligned to 16 bytes, the write operation will replace the flawed box.

Whilst CVE-2021-0040 and CVE-2021-0167 use the Playstation* methodology, scanning the PsList is by-far our actor’s favourite manner of appearing a token change, utilized in 8 in their exploits. In 7 of those, they used Arbitrary-Learn and Arbitrary-Write from user-mode.

Comparability to PlayBit: In all in their samples, we’ve all the time noticed PlayBit use the Playstation* purposes for a token change. This resolution pressured the actor to put into effect a couple of SMEP bypasses they built-in into their later exploits for CVE-2021-7255 and CVE-2021-8453. This design selection explains why the actor doesn’t hassle imposing a right kind Arbitrary-Learn primitive as a part of the exploit. As an alternative of the usage of a version-specific configuration for the offset of the token within the EPROCESS, PlayBit all the time scans the EPROCESS to seek for it, generally the usage of 0x300 or 0x600 as the higher restrict for the hunt.

It’s price noting that the reminiscence corruption methodology this is utilized by PlayBit within the other exploits was once additionally utilized by Duqu 2.0 and was once analyzed in Microsoft’s earlier (*10*)VB communicate from 2021. Via this reminiscence corruption, they are able to cause a couple of reminiscence learn/writes from/to Kernel reminiscence that can assist all through the exploit.


Determine 10: PlayBit exploit scanning the EPROCESS in seek for the token, as can also be noticed in Cutter.

Wrapping it up

Whilst there are further facets shall we talk about equivalent to other syscalls that every actor prefers to make use of all through the exploitation task, naming conventions for created items like Home windows and ScrollBars, we imagine that the record above obviously demonstrates the potency/validity of our manner.

As can also be noticed from the record above, nearly each and every facet in an exploit can also be carried out in numerous alternative ways. Nonetheless, either one of our actors have been very constant of their respective exploitation routines, every sticking to their favourite manner.

The Shoppers

Right through our whole analysis task, we would have liked to concentrate on the exploit authors themselves, whether or not Volodya, PlayBit or others. And but, we expect that there’s additionally a lot to be told through having a look at those exploit authors’ clientele. The record of Volodya’s purchasers is numerous and comprises banker trojan authors equivalent to Ursnif, ransomware authors equivalent to GandCrab, Cerber and Magniber, and APT teams equivalent to Turla, APT28 and Buhtrap (which began from cyber-crime and later shifted to cyber-espionage). Curiously, we will see that Volodya’s 0-days are much more likely to be offered to APT teams whilst 1-days are bought through more than one crimeware teams. With out additional intel, we will simplest think that when a 0-day is detected through the protection business, the exploit is then recycled and offered at a cheaper price as a non-exclusive 1-day.

The APT consumers, Turla, APT28, and Buhtrap, are all repeatedly attributed to Russia and it’s attention-grabbing to seek out that even those complicated teams acquire exploits as an alternative of creating them in-house. That is some other level which additional strengthens our speculation that the written exploits can also be handled as a separate and distinct a part of the malware.

The next desk summarizes and presentations the CVEs we have been in a position to characteristic to Volodya, in addition to the shoppers or the malware teams we discovered the usage of those exploits. CVEs which are marked with blue are 0-days, and of course costlier. The highlighted teams at the left are regarded as APTs.


Determine 11: Volodya’s consumers and the CVEs that have been utilized by them.

They develop up so rapid

Earlier than reviewing other traits we famous whilst analyzing the exploit samples over a time frame, we must emphasize that we have got restricted visibility as we will’t talk about 0-Days that weren’t stuck but. As well as, we will simplest strive thus far samples to the duration earlier than they have been stuck, however the unhappy fact is that we’re generally just about certain to the date during which the exploit was once in reality first noticed within the wild.

Additionally, it will be significant for us to say that it was once transparent from the beginning that Volodya was once already moderately skilled when creating the primary exploit we have been in a position to characteristic to them – CVE-2021-2546. As an example, it had a singular Arbitrary-Write primitive that we couldn’t hint to another exploit educational / exploit.

Right through the research of the exploits, in addition to the research of dozens of malware samples we accrued, we spotted a fascinating shift. Whilst the sooner Volodya exploits have been offered as supply code to be embedded within the malware, the later exploits have been offered as an exterior application that accepts a definite API. This modification can recommend that Volodya is taking extra precautions.

Right through the time between 2021 and 2021, we additionally spotted vital enhancements in Volodya’s technical talents. As they were given larger and extra skilled, Volodya began the usage of simpler Arbitrary Learn and Write primitives and so they even fastened a worm in those primitives between

CVE-2021-2546 and CVE-2021-0165*. Additionally, the code of the exploits was extra modular, as huge purposes have been break up into smaller sub-routines. Additionally, their option to seek and get right of entry to particular offsets in quite a lot of structs was once additionally progressed and in fresh implementations it was extra dynamic and protected, because it better-handled adjustments in minor variations of Home windows.

Now not simplest does this display the educational curve and building of our actor, nevertheless it additionally hints at their talents. The power to seek out and reliably exploit Home windows Kernel vulnerabilities is truly no longer that easy. We will see when put next that PlayBit was once just about very energetic on this marketplace between the years 2021-2021, and their focal point was once on promoting exploits for 1-Day vulnerabilities, one of which was once a 0-Day of Volodya (CVE-2021-7255).


Our analysis method was once to fingerprint an exploit creator’s traits and afterward use those houses as a singular looking signature. We deployed this system two times when monitoring down Volodya’s exploits and the ones of PlayBit. Having those two a hit check instances, we imagine that this analysis method can be utilized to spot further exploit writers. We advise different researchers check out our advised methodology and undertake it as an extra instrument of their arsenal.

Right through this analysis, we centered at the exploits which are utilized by or embedded in numerous malware households, each in APT assaults and in commodity malware (particularly ransomware). Even if they’re popular, we incessantly discovered detailed malware stories that not noted to say that the malware handy additionally makes use of an exploit for escalating its privilege.

The truth that we have been in a position to make use of our methodology, many times, to trace 16 Home windows LPE exploits, written and offered through two other actors, was once very sudden. Taking into consideration that 15 of them date to the time frame of 2021-2021, it’s believable to think that they represent an important proportion of the exploitation marketplace, in particular for Home windows LPE exploits.

In any case, it’s not possible to inform the full collection of Home windows kernel 0-day vulnerabilities which are being actively exploited within the wild. Countryside actors are much less prone to get stuck and thus the infosec neighborhood does no longer have transparent visibility to their ammo crate. That mentioned, we will nonetheless get insights through having a look on the exploits that have been stuck, whilst remembering this survivorship bias. Remaining yr, Kaspersky reported a unmarried actor who dispensed an exploit framework that incorporates 3 extra 0-Days. Including up those numbers, we see that 8 out of 15 zero-day exploits, greater than part of the “market-share”, are attributed to simply two actors(!). Because of this our analysis methodology may doubtlessly be used to trace down lots of the actors within the noticed marketplace, if no longer they all.

Advice for Coverage

Test Level Risk Emulation supplies coverage in contrast danger:


Appendix – IOC Desk


  • CVE-2021-2546: 3f6fe68981157bf3e267148ec4abf801a0983f4cea64d1aaf50fecc97ae590d3
  • CVE-2021-0040: 0ea43ba3e1907d1b5655a665b54ad5295a93bda660146cf7c8c302b74ab573e9
  • CVE-2021-0165*: f1842080b38b3b990ba3ccc1d55ceedd901d423b6b8625633e1885f0dadee4c2
  • CVE-2021-0167: 6224efee6665118fe4b5bfbc0c4b1dbe611a43a4b385f61ae33b0a0af230da4e
  • CVE-2021-7255: a785ad170a38280fc595dcc5af0842bd7cabc77b86deb510aa6ebb264bf2c092
  • CVE-2021-0001: ed7532c77d2e5cf559a23a355e62d26c7a036f2c51b1dd669745a9a577f831a0
  • CVE-2021-0263: f9dca02aa877ad36f05df1ebb16563c9dd07639a038b9840879be4499f840a10
  • CVE-2021-8641*: 0829f90a94aea5f7a56d6ebf0295e3d48b1dffcfefe91c7b2231a7108fe69c5e
  • CVE-2021-0859 – Preliminary 64bit pattern: 895ab681351439ee4281690df21c4a47bdeb6691b9b828fdf8c8fed3f45202d8
  • CVE-2021-0859 – Matching 32bit pattern: eea10d513ae0c33248484105355a25f80dc9b4f1cfd9e735e447a6f7fd52b569
  • CVE-2021-1458: 8af2cf1a254b1dafe9e15027687b0315493877524c089403d3ffffa950389a30


  • CVE-2021-3660: 9f1a235eb38291cef296829be4b4d03618cd21e0b4f343f75a460c31a0ad62d3
  • CVE-2021-0057: 8869e0df9b5f4a894216c76aa5689686395c16296761716abece00a0b4234d87
  • CVE-2021-1701 (sure, it’s the similar pattern as CVE-2021-0057)8869e0df9b5f4a894216c76aa5689686395c16296761716abece00a0b4234d87
  • CVE-2021-7255: 5c27e05b788ba3b997a70df674d410322c3fa5e97079a7bf3aec369a0d397164
  • CVE-2021-8453: 50da0183466a9852590de0d9e58bbe64f22ff8fc20a9ccc68ed0e50b367d7043

Check Point Software profile pictureCheck Point Software profile picture

through Test Level Instrument @checkpoint. Welcome to the Long run of Cyber Safety. Offering answers throughout all vectors to forestall fifth era cyber assaults.Seek advice from us


Sign up for Hacker Midday

Create your unfastened account to unencumber your customized studying enjoy.