Exploiting Windows’ Task Scheduler
The Twitter user SandboxEscaper revealed a bug in the Advanced Local Procedure Call (ALPC) interface of the Windows 7 and Windows 10 Task Schedulers that could allow an attacker to gain administrative rights even if the malicious executable would be launched by a limited Windows user account.
SandboxEscaper released the PoC source code at the same time as disclosing the bug, which meant anyone could modify and repurpose that code for a wide-scale attack against Windows machines that can evade security protections, including antivirus scans.
How PowerPool Infects Victims’ PCs
A group called PowerPool modified that original PoC source code, recompiled it and then used it to replace Google Chrome’s auto-updater executable with its own malicious file in order to gain SYSTEM privileges on victims’ machines. The malware can perform actions such as executing commands, killing processes and uploading and downloading files, as well as listing folders.
The initial stage of the infection, which is kickstarted via a malicious attachment sent in an email to the victim, also allows the PowerTool group to perform some basic data collection, including taking screenshots of the victims’ PCs.
Still Awaiting Patches
Microsoft was seemingly caught off-guard by SandboxEscaper’s initial disclosure of the bug and has said that will release a patch on the next “Update Tuesday” on September 11.
CERT/CC has published some potential mitigations for this attack, but Microsoft has not officially approved them.