Written in PowerShell, a zero day employed by the APT group FruityArmor can elevate privileges on a targeted computer.
Written in PowerShell, a zero day employed by the APT group FruityArmor can elevate privileges on a targeted computer.

An APT group has distinguished itself employing PowerShell in its coding platform used to distribute malware.

A Windows escalation of privilege (EoP) exploit (CVE-2016-3393) was discovered by Kaspersky Lab in September 2016, reported to Microsoft and patched with a Microsoft update this week (MS16-120).

But taking a step back, Kaspersky on Thursday detailed its investigation of the zero day – employed by the APT group it dubbed FruityArmor – that can elevate privileges on a targeted computer using PowerShell, an automation platform and scripting language for Windows.

Entering machines via a browser exploit, in combination with an EoP exploit, FruityArmor gains remote code execution of a targeted device. The EoP exploit enables the code to avoid entrapment in a sandbox, the researchers explained.

A module operating in memory then unpacks a specially crafted TTF font in which the CVE-2016-3393 exploit is contained.

"After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx," the report stated. "After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C."

From there, the report explained, attackers can launch memory corruption by making an integer overflow in win32k!cjComputeGLYPHSET_MSFT_GENERAL.

As the font processing in Windows 10 is engaged in a special user mode process with restricted privileges, "this is a very good solution," the researchers said. "But the code has the same bug in the TTF processing."

As a consequence, if a user loads or opens this font exploit in Windows 10, they will be greeted with the crash of fontdrvhost.exe.

Kaspersky Lab detects this exploit as: HEUR:Exploit.Win32.Generic and PDM:Exploit.Win32.Generic.

Victims of FruityArmor have been observed in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden, Costin Raiu, director of the global research and analysis team at Kaspersky Lab, informed SCMagazine.com on Thursday.

The victim profile appears to be researchers with roles related to government, as well as activists, he said. 

"What makes FruityArmor stand out is its use of zero-days and a signature framework written in PowerShell that uses WMI [Windows Management Instrumentation] for persistence," Raiu pointed out.

This makes it extremely hard to detect since it has no files on disk and the payloads run directly in memory, he said.

Kaspersky Lab products have been updated to detect and remove FruityArmor from inside WMI storage, Raiu said. It also provided subscribers of its private APT reports with network-level indicators of compromise (IOCs) that can detect infections.