Graphology of an Exploit – Fingerprinting exploit authors to help with hunting zero-day exploits in the wild

In the cyber-crime economy, which is all about exploiting vulnerabilities in software and products, the most valuable and prized asset is the ‘zero day’ – a vulnerability for which there is no patch or update available.  Last year, an exploit broker stated it would pay up to $2 million for zero-day jailbreaks of Apple’s iOS and $1 million for zero-day exploits that take over WhatsApp and iMessage.

It’s easy to understand why zero days are in such demand.  Attacks that exploit them are difficult to defend against, because in many cases no-one is aware that the attack is even possible.  This means they can spread rapidly and infect large numbers of devices and users.

Zero day vulnerabilities can take many forms:  for example, they could involve missing or flawed data encryption, SQL injection, buffer overflows, missing authorizations, broken algorithms, URL redirects, bugs, or problems with password security.  The focus of attention is usually on the malware that exploits the zero-day vulnerability, but in order for that malware to be developed and created, someone has to first find the vulnerability and work out how to exploit it.

These specialists are the exploit authors, who usually work quietly out of the spotlight to discover and sell zero day vulnerabilities to the highest bidder. Over the past few months, our Vulnerability and Malware Research teams joined forces to investigate the world of exploit authors and their work.  Starting from a single Incident Response case, we built a profile of one of the most active exploit developers for Windows, known as “Volodya” or “BuggiCorp”. So far, we managed to track down more than 10 (!) of their Windows Kernel Local Privilege Escalation (LPE) exploits, many of which were zero-days at the time of development.

CSI:  cyber fingerprinting

Our research methodology was to ‘fingerprint’ an exploit author’s working technique, looking for unique identifiers that could be associated with that individual.  We did this by analyzing code, and looking for characteristics such as the way that code was written and implemented – in the same way that a graphologist analyzes handwriting, or a specialist looks for unique features in prints from a crime scene.

During this research, we focused on exploits that are used by or embedded in different malware families, both in APT attacks and in commoditized malware (especially ransomware). Although they are widespread, we often found detailed malware reports that neglected to mention that the malware at hand also uses an exploit for escalating its privilege.

The fact that we were able to use our technique, repeatedly, to track 16 Windows LPE exploits, written and sold by two different authors, was very surprising. Considering that 15 of them date to the timeframe of 2015-2019, it is plausible to assume that they constitute a significant share of the exploitation market, specifically for Windows LPE exploits.

Zero-day customers

During our entire research process, we wanted to focus on the two exploit authors we identified. However, we believe that there is also much to learn by looking at these exploit authors’ clientele. The list of Volodya’s clients is diverse and includes banker trojan authors such as Ursnif, ransomware authors such as GandCrab, Cerber and Magniber, and APT groups such as Turla, APT28 and Buhtrap (which started from cyber-crime and later shifted to cyber-espionage).

The APT customers, Turla, APT28, and Buhtrap, are all commonly linked to Russia and it is interesting to find that even these advanced groups purchase exploits from exploit authors, instead of developing them in-house. This is another point which strengthens our hypothesis that these zero-day exploits should be treated as a separate and distinct part of the construction of malware and the malware economy.

The following table summarizes and shows the CVEs we were able to attribute to Volodya, as well as the customers or the malware groups we found using these exploits. CVEs that are marked with blue are 0-days, and naturally more expensive. The highlighted groups on the left are considered APTs.

Volodya’s customers and the CVEs that were used by them.

Our research was able to fingerprint an exploit writer’s characteristic techniques, and then use later on use these properties to identify and track two exploit authors, Volodya and PlayBit. The fact that we were able to use our techniques, repeatedly, to track 16 Windows LPE exploits, written and sold by two different actors, was very surprising. Considering that 15 of the exploits date to the timeframe of 2015 – 2019, it is plausible to assume that they constitute a significant share of the Windows LPE exploitation market.

Based on these two successful test cases, we believe that this research methodology can be used to identify additional exploit writers. We recommend other researchers try our suggested technique and adopt it as an additional tool in their arsenal.  For full details of our methodology and results, visit our research blog.