Used to compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.
PUNCHBABY or PUNCHTRACK Trojan.
Vulnerability details
Advisory: SB2016041203 - Multiple vulnerabilities in Microsoft Windows
Vulnerable component: Windows
CVE-ID: CVE-2016-0167
CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
Description:
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Known APT campaigns:
PUNCHTRACK - companies in USA and Canada
According to FireEye hackers used malware тАЬPUNCHTRACKтАЭ to steal usersтАЩ credit card data.
External links:
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:Win64/CVE-2016...
https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html
https://technet.microsoft.com/library/security/ms16-039 http://www.securitytracker.com/id/1035532
http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-11-2016/
http://blog.cybersheath.com/adobe-and-windows-zero-day-exploits-in-the-wild
https://threatpost.com/microsoft-zero-day-exposes-100-companies-to-pos-attack/118026/
https://arstechnica.com/security/2016/05/beware-of-in-the-wild-0day-attacks-exploiting-windows-and-f...
http://sensorstechforum.com/windows-zero-day-exploited-to-steal-credit-card-data-from-us-companies/
http://www.securityweek.com/windows-zero-day-leveraged-financial-attacks
http://www.zdnet.com/article/microsoft-windows-zero-day-exposes-companies-to-crippling-cyberattacks/