PowerPool Uses Task Scheduler ALPC Exploit in Recent Attacks

Delaware, USA – September 13, 2018 — At the end of August, SandboxEscaper revealed Task Scheduler ALPC exploit on GitHub, and just two days later, researchers from ESET discovered exploitation of this flaw in the wild. PowerPool hacker group conducts a cyber espionage campaign targeted at users in the United States, Germany, Great Britain, India and a number of other countries. They modified the code of the published exploit and used it to gain write access to GoogleUpdate.exe during the attack. For the initial compromise of victims, PowerPool uses targeted phishing emails with the first-stage backdoor in the attachment, which performs reconnaissance and downloads the second-stage backdoor to the most interesting systems. PowerPool Backdoor Trojan is capable to download and upload files, execute commands and kill processes. In addition to the backdoor, attackers also use opensource tools PowerSploit, SMBExec, PowerDump, FireMaster and Quarks PwDump.

It is not yet known whether other hacker groups weaponized this exploit. Microsoft patched the vulnerability in Task Scheduler ALPC this Tuesday, so you need to install security updates as soon as possible. Also, you can find SIEM rules to detect Task Scheduler ALPC exploit in the Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/1315/