Researchers have developed a new technique to "fingerprint" cybercriminals, including two prolific sellers of Windows exploits.
On Friday, researchers from Check Point said the "fingerprinting" technique has been used to link Windows local privilege escalation (LPE) exploits to two different authors, believed to have sold their creations previously to Russian advanced persistent threat (APT) groups as well as other clients.
In a blog post[1], the cybersecurity firm said that the technique was developed off the back of a customer response incident, in which a small 64-bit executable was found during an attack.
After analyzing the file, the team found unusual debug strings that pointed to an attempt to exploit a vulnerability on one of the target machines. The file contained a leftover PDB path -- "...\cve-2019-0859\x64\Release\CmdTest.pdb" -- which indicated the use of a real-world exploit tool.
Digging further, Check Point decided to try and "fingerprint" unique identifiers recognizable as the work of specific exploit developers by securing another 32-bit file which showed compilation at the same time, indicating the handiwork of the same individual.
See also: This worm phishing campaign is a game-changer in password theft, account takeovers[2]
Check Point explored unique artifacts in binary code, internal file names, PDB paths, hard-coded values such as crypto constants and garbage values, data tables, string usage, syscall wrappers, and code snippets.
In addition, the team analyzed the author's preferred leaking and elevation techniques, whether or not heap spraying was in use -- and how -- as well as the general "flow" of the exploits. Global calls, field offsets, and API use were also noted.
It wasn't long before two small binaries turned into a flow of new samples, all based on newly-established Check Point hunting rules. The team then analyzed the