Check Point security researchers Itay Cohen and Eyal Itkin managed to track 16 Windows Kernel Local Privilege Escalation (LPE) exploits to two different exploit developers known as Volodya (or BuggiCorp) and PlayBit (or luxor2008).
Check Point successfully matched 15 of the exploits to a known exploit dev that were created between 2015 and 2019, that made a huge share of the overall Windows LPE exploitation market at the time.
The researchers looked for uncommon source code identifiers that can be associated with a specific exploit writer such as unique artifacts (such as strings, hardcoded values, and PDB paths), coding habits and techniques, code snippets, and framework info.
They assumed that exploit authors work independently, and only distribute their code/binary module to the malware authors. So, they decided to focus on them.
More details about exploit authors could be found by analyzing the exploits embedded in malware samples. The researchers could easily understand by studying their coding habits and other fingerprints left as clues on their identity, when distributing their products to their malware writing counterparts.
The researchers used hunting rules based on a few new exploit functions extracted from a single malware sample and managed to track down dozens of other samples containing code written by the same developer.
The researchers then matched samples to the vulnerabilities they exploited, and were able to track the author of 10 different 0-day and 1-day Windows LPE exploits, as Volodya, an exploit developer known for selling 0-days to cybercrime and Russian APT groups.
According to a report, the list of Volodya’s clients includes banker trojan authors such as Ursnif, ransomware authors such as GandCrab, Cerber and Magniber, and APT groups such as Turla, APT28 and Buhtrap.
It can be found that Volodya’s 0-days might be sold to APT groups while 1-days are bought by multiple crimeware groups.
Using the same method, the researchers were able to track down 5 Windows LPE 1-Day exploits developed by PlayBit after starting from a single malware sample used by REvil ransomware to compromise systems vulnerable to CVE-2018-8453.
These exploits were sold by PlayBit to the two ransomware gangs, REvil and Maze.
The exploit “fingerprinting” technique used by Check Point researchers can be used for purposes other than identifying an exploit’s developer.
By identifying an exploit’s author using a technique similar to that used when tracking APT groups and malware devs, researchers can also:
- Detect the presence of exploits written by these exploit developers in specific malware families.
- Detect additional exploits written by the same developer, as they share a common “fingerprint”. Potentially, detecting 0-days written by these developers.
- Block all malware families that bought a given exploit from a developer that is studied and fingerprinted.
The researchers believe that based on these two successful test cases, this research methodology can be used to identify additional exploit writers. They also recommend other researchers also to use the same technique.
Image Credits : Pymnts