Volodya/BuggiCorp Windows exploit developer: What you need to know

Check Point researchers unveiled the identity of two authors responsible for attacks on using a novel technique that allows them to recognize and identify malicious developers. According to the Check Point , “Volodya” or “BuggiCorp,” was the most active developer for Windows last year and launched more than 10 Windows Kernel Local Privilege Escalation (LPE) exploits, many of them .

By recognizing the fingerprint of specific developers, researchers were able to perform three tasks:

Detect the presence of attacks developed by developers in specific malware families Detect additional attacks developed by the same author, since they share a unique fingerprint Block all malware families that use an already studied and whose “fingerprint” has already been identified Background

The work began after a malware incident from a specific client from the Check Point team.

Researchers said “the sample contained unusual debug strings that pointed at an attempt to a vulnerability on the victim machine. Even more importantly, the sample had a leftover PDB path which proclaimed loud and clear the goal of this binary: …cve-2019-0859x64ReleaseCmdTest.pdb.”

No proof-of-concept or exploits were available online to take advantage of CVE-2019-0859. This was the starting point to

Read More: https://resources.infosecinstitute.com/topic/volodya-buggicorp-windows-exploit-developer-what-you-need-to-know/