PuzzleMaker hackers attack computers with Chrome zero-day vulnerabilities

A new hacker group attacks devices running Windows OS

Hackers issue chain attacks through Google Chrome and Windows OS vulnerabilities

Researchers have recently released a statement ^[1] that multiple companies have been victims of a highly targeted cyber attack. After thoroughly analyzing the attacks and the malware that was dropped to infected devices, researchers haven't found any resemblance to known cybercriminals groups, so they entitled the assailants and the zero-day attack as PuzzleMaker.

The threat actor activity was first spotted in the middle of April. Hackers used a chain of Windows 10 and Google Chrome zero-day^[2] exploits to compromise computers and networks. To gain access to the targetted machines, hackers first used a remote code execution vulnerability in Chrome V8 JavaScript.

Then, after using two vulnerabilities in Windows 10 associated with the OS feature called SuperFetch, which is developed to pre-load commonly used applications into the device's memory for faster loading, the hackers gained the ability to download additional malware onto the compromised computers.

Targetted devices hit with four types of malware

Cybersecurity analyst research states that by changing and exploiting the severe flaw in Google Chrome and two vulnerabilities in Windows (CVE-2021-31956 and CVE-2021-31955), the assailants could download additional malware modules.^[3] In this instance, a so-called stager module that informs of a successful attack and downloads the dropper module from a remote hacker server.

The latter module installs additional executables that are camouflaged as legitimate Windows OS files. The first one runs as a service and executes the other, and the chain attack ends with a remote shell module execution that gives almost complete control of the infected machine to the hackers.

Its communications between the targeted computer and the C&C (Command and Control) remote server are encrypted. This parasite enables the assailants to upload additional infections (e.g., ransomware) to the device, download personal data, create new processes in the system, and self-destruct when its mission is accomplished.

Both companies immediately patched up the vulnerabilities

After submitting the cyber attack reports and the exploited vulnerabilities to Google and Microsoft, computer users all over the world can sleep better as the companies issued patches. Google was the first to react to the incident and released^[4] the patch on April 20.

Microsoft, on the other hand, took some time but released security updates for the vulnerabilities in Windows operating system and related software, with its June Patch Tuesday on June 8.^[5] With it, Microsoft has released 50 security fixes for various issues. That involved six actively exploited vulnerabilities, with PuzzleMaker's zero-day attack being one of them.

So far this year, Google's zero-day analyst team Project Zero also had its hands full. Since Google Chrome browser can be downloaded to any device running practically any operating system (Safari, Android, etc.), Windows devices, as well as Macs and Androids, can be affected by such flaws in the software. But luckily, the company issues fixes extremely fast.

Nonetheless, this signals that all internet users should be aware of the magnitude of cybercrimes and the importance of cybersecurity. Staying attentive to details, updating running OS and software, and using trustworthy security software could go a long way.