The new campaign was discovered by researchers at Kaspersky labs and targets researchers and individuals working in the government organisation.
CVE-2018-8453 is an elevation of privilege vulnerability affecting win32k.sys when it fails to handle the objects in the memory properly.
An attacker could exploit this vulnerability to run arbitrary code in kernel mode and can install programs, view, change, or delete data and create new accounts with full user rights.
“In August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in win32k.sys. “
The exploit contains a first stage malware installer which is used to get necessary privileges for persistence on the targeted system.
Here since the exploit contains a malware installer it needs system privilege to install the payload. The final payload is a sophisticated implant which provides attackers persistent access to the targeted system.
As of now researchers only detected a limited number of attacks exploiting this vulnerability and all of them are located in the Middle East.
“During our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been seen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this new set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that FruityArmor is responsible for the attacks leveraging CVE-2018-8453.” said in the post published Kaspersky labs.
Kaspersky researchers in August discovered the CVE-2018-8453 vulnerability and notified Microsoft about it.
Microsoft has released a patch for the zero-day vulnerability in October 2018 Patch Tuesday security bulletin released yesterday. Users are advised to update their system immediately.
You may be interested in reading:Google Shutdowns Google+ After Bug Exposed User Data of 500,000 Users