Recent Windows Zero-Day Used by FruityArmor APT Takes Over PCs via Font Files

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
A cyber-espionage group nicknamed FruityArmor is using a recently patched Windows zero-day to attack targets via malformed font files.

The zero-day in question is CVE-2016-3393, which Microsoft described as a flaw in the Graphics Device Interface (aka GDI or GDI+) component that leads to attackers being able to execute code on affected devices and take over the user's system.

Microsoft patched the security flaw earlier this month, on October 11, in security bulletin MS16-120, after a tip-off from Kaspersky researchers, who discovered it used in live attacks.

Zero-day discovered by new technology deployed with Kaspersky products
According to a write-up of the events by Kaspersky researcher Anton Ivanov, the company discovered the zero-day with the help of a new set of technologies they've deployed in their security software.

This same technology helped the company identify three other zero-days, all affecting Adobe's Flash Player: CVE-2016-0165, CVE-2016-1010, and CVE-2016-4171. This marks the first zero-day this new technology discovered in non-Adobe products.

Ivanov says that they've discovered CVE-2016-3393 as part of a browser-based exploit chain deployed in cyber-espionage campaigns attributed to a new group they've recently discovered, named FruityArmor.

Zero-day delivered via browser exploit chain
The Kaspersky expert says that FruityArmor attacked targets by tricking them into accessing a malicious page that contained a browser-based exploit. If the initial browser exploit was successful, the attack would continue with a weaponized version of CVE-2016-3393.

"This comes in the form of a module, which runs directly in memory," Ivanov explains. "The main goal of this module is to unpack a specially crafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code exploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a second stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that connects to the C&C."

New FruityArmor APT has a PowerShell fetish
As for the FruityArmor APT, Kaspersky says the group distinguishes itself among other cyber-espionage groups because of its obsession with PowerShell.

Ivanov says the FruityArmor uses only PowerShell-based malware, and even the commands the malware receives from the group are in the form of PowerShell scripts.

Ivanov didn't reveal any details about FruityArmor's targets. A request for comment was not answered until the article's publication.
Click to expand...
 
  • Like
Reactions: Der.Reisende, Solarquest, Deleted member 2913 and 1 other person
You must log in or register to reply here.

Similar threads

[correlate]
    • Like
    • +Reputation
Security News Windows CLFS and five exploits used by ransomware operators
Replies
0
Views
855
Security News
[correlate]
[correlate]
Ink
    • Like
    • +Reputation
Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers
Replies
0
Views
943
News Archive
Ink
Ink
Gandalf_The_Grey
    • Like
    • +Reputation
Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
Replies
2
Views
1,512
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top