Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack - 安恒威胁情报中心
Tags
| country: | China |
| attack-pattern: | Data Hardware - T1592.001 Software - T1592.002 Vulnerabilities - T1588.006 |
Common Information
| Type | Value |
|---|---|
| UUID | eecaee98-7055-4db1-b0b2-20566e51cda5 |
| Fingerprint | f4b114d7928f2381 |
| Analysis status | DONE |
| Considered CTI value | 1 |
| Text language | |
| Published | Feb. 10, 2021, 8:12 a.m. |
| Added to db | Sept. 26, 2022, 9:34 a.m. |
| Last updated | Nov. 12, 2024, 11:50 a.m. |
| Headline | Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack |
| Title | Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack - 安恒威胁情报中心 |
| Detected Hints/Tags/Attributes | 44/2/5 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 45 | cve-2021-1732 |
|
| Details | Domain | 1 | tagmenubarinfo.rcbar.top |
|
| Details | File | 15 | win32kfull.sys |
|
| Details | File | 119 | avp.exe |
|
| Details | Yara rule | 1 | rule apt_bitter_win32k_0day {
meta:
author = "dbappsecurity_lieying_lab"
data = "01-01-2021"
strings:
$s1 = "NtUserConsoleControl" ascii wide
$s2 = "NtCallbackReturn" ascii wide
$s3 = "CreateWindowEx" ascii wide
$s4 = "SetWindowLong" ascii wide
$a1 = { 48 C1 E8 02 48 C1 E9 02 C7 04 8A }
$a2 = { 66 0F 1F 44 00 00 80 3C 01 E8 74 22 FF C2 48 FF C1 }
$a3 = { 48 63 05 CC 69 05 00 8B 0D C2 69 05 00 48 C1 E0 20 48 03 C1 }
condition:
uint16(0) == 0x5a4d and all of ($s*) and 1 of ($a*)
} |