Check Point researchers unveiled the identity of two authors responsible for zero-day attacks on windows using a novel technique that allows them to recognize and identify malicious developers. According to the Check Point research, “Volodya” or “BuggiCorp,” was the most active developer for Windows last year and launched more than 10 Windows Kernel Local Privilege Escalation (LPE) exploits, many of them zero-days.
By recognizing the fingerprint of specific developers, researchers were able to perform three security tasks:
Detect the presence of attacks developed by developers in specific malware families Detect additional attacks developed by the same author, since they share a unique fingerprint Block all malware families that use an attack already studied and whose “fingerprint” has already been identified Background
The work began after a malware incident from a specific client from the Check Point team.
Researchers said “the sample contained unusual debug strings that pointed at an attempt to exploit a vulnerability on the victim machine. Even more importantly, the sample had a leftover PDB path which proclaimed loud and clear the goal of this binary: …cve-2019-0859x64ReleaseCmdTest.pdb.”
No proof-of-concept or exploits were available online to take advantage of CVE-2019-0859. This was the starting point to