Windows Kernel Zero-Day Exploit Used By Bitter APT in Targeted Attack

DBAPPSecurity identified a zero-day exploit present in targeted Bitter APT attacks. They discovered the in-the-wild sample in December 2020 and reported the vulnerability (CVE-2021-1732) to Microsoft, who released a patch in their February 2021 Security Update.

Bitter APT has been using this exploit since at least May 2020. The exploit is capable of being executed on Windows 10 1709 to 1909 systems, which the malware checks prior to execution.

The malware initially runs under a medium integrity level but uses the vulnerability to perform privilege escalation and obtain a System integrity level. The researchers determined that modifications could be made to the code to allow it to run in 20H2, but the existing samples cause a BSOD in anything since 1909.

DBAPPSecurity notes that this vulnerability is of high quality and the exploit is sophisticated.

Further information at – https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/

Yara Rule

rule apt_bitter_win32k_0day {
    meta:
        author = "dbappsecurity_lieying_lab"
        data = "01-01-2021"

    strings:
        $s1 = "NtUserConsoleControl" ascii wide
        $s2 = "NtCallbackReturn" ascii wide
        $s3 = "CreateWindowEx" ascii wide
        $s4 = "SetWindowLong" ascii wide

        $a1 = {48 C1 E8 02 48 C1 E9 02 C7 04 8A}
        $a2 = {66 0F 1F 44 00 00 80 3C 01 E8 74 22 FF C2 48 FF C1}
        $a3 = {48 63 05 CC 69 05 00 8B 0D C2 69 05 00 48 C1 E0 20 48 03 C1}

    condition:
        uint16(0) == 0x5a4d and all of ($s*) and 1 of ($a*)
}

Timeline

• · 2020/12/10: DBAPPSecurity Threat Intelligence Center caught a new component of BITTER APT.
• · 2020/12/15: DBAPPSecurity Threat Intelligence Center uncovered an unknown windows kernel vulnerability in the component and started the root cause analysis.
• · 2020/12/29: DBAPPSecurity Threat Intelligence Center reported the vulnerability to MSRC.
• · 2020/12/29: MSRC confirmed the report has been received and opened a case for it.
• · 2020/12/31: MSRC confirmed the vulnerability is a zero-day and asked for more information.
• · 2020/12/31: DBAPPSecurity provided more detail to MSRC.
• · 2021/01/06: MSRC thanked for the addition information and started working for a fix for the vulnerability.
• · 2021/02/09: MSRC fixes the vulnerability as CVE-2021-1732.