What is Buhtrap group?
It is actually a group famous for its targeting of financial institutions and businesses in Russia.
Buhtrap group uses a zero-day exploit in June 2019 to conduct cyber-espionage.
Many people become victim of zero-day CVE-2019-1132; even Windows responded this and offered patch for it.
A NULL pointer dereference in the win32k.sys component was used by the exploit.
Report will be sent to Microsoft Security Response Center as long as the exploit was discovered and analyzed.
Microsoft Windows responded to this security bug in time and released a patch for fixing it.
Windows Patches Zero-day Vulnerability, But Windows Still Vulnerable.
It is a cyber-attack and there is no available fixes when its exploited.
It is a cyber attack and there is no available fixes when its exploited.
This was the first time that Buhtrap group uses a zero-day exploit as part of a campaign.
What will it do in the first window?
It often does two things: create popup menu objects and add menu items through CreatePopupMenu and AppendMenu functions.
Apart from this, the exploit will set up WH_CALLWNDPROC and EVENT_SYSTEM_MENUPOPUPSTART hooks.
A menu will be listed by exploit via the TrackPopupMenu function.
Now, the code hooked to EVENT_SYSTEM_MENUPOPUPSTART will be executed.
What triggers the vulnerability?
This will cancel the initial menu, but the sub-menu will still be kept.
The fact is the tagPOPUPMENU>ppopupmenuRoot equals 0 if you check the sub-menu object in kernel mode.
What does this mean?
What will it do in the second window?
The main exploit will locate the tagWND structure of the second window and lip the bServerSideWindowProc bit in it.
This will finally execute a WndProc procedure in kernel mode.
What will the exploit do next?
Indeed, it will create a fake tagPOPUPMENU object at the NULL page.
Then, a MN_BUTTONDOWN message will be sent to a MN_BUTTONDOWN message by the exploit.
After that, the win32k!xxxMNOpenHierarchy function will be executed by the kernel.
Therefore, a crafted object at the NULL page will be passed to win32k!HMAssignmentLock.
Where is the bServerSideWindowProc bit?
It is set inside the win32k!HMDestroyUnlockedObject function.
Where is this function?
It is a few calls deeper inside win32k!HMAssignmentLock.
Now, the zero-day 2019 exploit can send a specific message to the second window.
Thats how the WndProc in kernel mode be executed.
In the end, the token of the current process will be replaced by the system token.
