Application security

Spearphishers using a Windows zero day to attack companies

Updated FireEye believes a mature and sophisticated criminal operation has been responsible for conducting spearphishing attacks that resulted in more 100 organizations in North America being victimized.

Starting in March the attackers utilized a Microsoft zero-day vulnerability (CVE-2016-0167) along with a previously unknown elevation of privilege exploit and what had been an unnamed point of sale memory scraping exploit, now named Punchtrack, to gain access to systems after performing a successful spearphishing campaign. The emails contained a malicious download called Punchbuggy, which is a dynamic-link library downloader for 32- and 64-bit computer systems.

The vulnerability was patched in April.

The FireEye threat research team of Dhanesh Kizhakkinan, Yu Wang, Dan Caselden and Erica Eng noted in their report that likely only one group is responsible for these attacks.

“In the past year, not only have we observed this group using similar infrastructure and techniques, tactics, and procedures (TTPs), but they are also the only group we have observed to date who uses the downloader PUNCHBUGGY and POS malware PUNCHTRACK. Designed to scrape both Track 1 and Track 2 payment card data, PUNCHTRACK is loaded and executed by a highly obfuscated launcher and is never saved to disk,” the report stated.

The attacks tracked by FireEye have come frequently and are large in scale with the researchers said shows a level of operational awareness paired with the ability to make changes on the fly to the malware.

Patches issued by Microsoft on May 10 along with other mitigating efforts has stopped this specific group from continuing its attack using a Windows vulnerability.

"The underlying vulnerability (CVE-2016-0167) was indeed patched, and the vulnerable subsystem was further hardened against similar issues on this Tuesday. We are not aware of any ongoing attacks by this group that exploit other Windows vulnerabilities," Caselden told in an email.

Update includes Caselden's comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.