Malware writers exploit recent Windows Task Scheduler 0-day vulnerability

It's a little over a week since a vulnerability in the Windows Task Scheduler was revealed. A patch for the 0-day has been released by third party security firm 0patch, but there's bad news for anyone who hasn't secure their system against the security threat -- malware writers are already taking advantage of the flaw.

The exploit was partly facilitated by the fact that the source code for a proof-of-concept exploit for the ALPC LPE vulnerability -- as well as a binary -- was published on GitHub. Now a group that has been named PowerPool has been spotted using the code in a malware campaign.

See also:

• Microsoft Windows task scheduler 0-day outed on Twitter
• 0patch beats Microsoft to patching Windows 10 task scheduler 0-day vulnerability

The security firm ESET noticed the campaign and says: "As one could have predicted, it took only two days before we first identified the use of this exploit in a malicious campaign from a group we have dubbed PowerPool. This group has a small number of victims and according to both our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the targeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine".

Rather than using the published source code "as is", PowerPool modified it slightly before recompiling -- presumably either in an attempt to evade detection, or to make it appear like a new piece of work.

ESET explains how the threat actor used a flaw in the SchRpcSetSecurity API function to gain write access to the file GoogleUpdate.exe. Then, the explanation continues, "they overwrite it with a copy of their second-stage malware in order to gain SYSTEM privileges the next time the updater is called". The second-stage malware is a backdoor.

ESET issues a warning about the way in which this vulnerability was revealed:

The disclosure of vulnerabilities outside of a coordinated disclosure process generally puts many users at risk. In this case, even the most up-to-date version of Windows could be compromised as no patch was released when the vulnerability and exploit were published. The CERT-CC provides some mitigations but Microsoft has not officially approved them.

This specific campaign targets a limited number of users, but don't be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available.

With Microsoft yet to release a fix for the vulnerability, users are left at risk unless they are willing to place their security in the hands of third-party patch developer 0patch.

Image credit: Spectral-Design / Shutterstock