Windows Task Manager’s Zero-day Vulnerability, Detected by ESET

Windows Task Scheduler was Microsoft’s answer to Unix Cron, for the purpose of running applications, scripts, and batch commands on-schedule. It was first released as an add-on option for Windows 95 and NT4.0 in 1997 as part of the Internet Explorer 4.0 installer package. With Windows 98 and later, Windows Task Scheduler became a regular member of the Windows Control Panel. For many decades since 1997, Windows Task Scheduler was not involved in any large-scale cybersecurity exploits, until now.

ESET, a mainstream antimalware vendor has revealed that a zero-day vulnerability in Windows Task Scheduler is being exploited by a hacker group loosely called “PowerPool”, a nasty elevated privileges backdoor. The exploit is done through Advanced Local Procedure Call module, more particularly the SchRpcSetSecurity API. This creates a universal “allow” permission to write to C:\Windows\Tasks folder, regardless of the user privilege of the logged-in user. This weakness opens the Windows Task Scheduler to be a platform to launch any type of user action, like installing software, running a program or launching a service.

The PowerPool group’s main target is the C:\Program Files (x86)\Google\Update\GoogleUpdate.exe. This is the official update application of Google apps in Windows, like Chrome, Earth, and Hangouts. Successful write access to GoogleUpdate.exe enables the attackers to upload a fake program which pretends to be GoogleUpdate.exe, as by design the program has admin privileges as it was originally intended to automatically install an update to a Google app.

“This specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals also follow the news and work on employing exploits as soon as they are publicly available,” an ESET representative said.

The PowerPool group’s initial activity was initially detected by ESET’s Matthieu Faou since 2017. But only this year that they got very active in attacking Windows machines from Ukraine, US, UK, Russia, Poland, Philippines, India, Germany, and Chile. “I was not able to clearly identify the final goal of this group. However, the nature of their tools and the low number of victims suggests this is an espionage campaign. They conduct spam campaigns but at a relatively low volume,” explained Faou.

PowerPool may be a small group of hackers, with a goal to profit from their exploits. The situation highlights the lack of urgency on the part of system administrators with the patching process, as mosts of the exploits were already fixed by Microsoft already. The huge delay between the release of the fix versus the actual installation of the patches speaks volumes on why PowerPool group and other cybercriminals are successful with their goals. “The difference between this zero-day and most of the previous ones is the release of the full source code used to exploit the vulnerability. Thus, it can be easily reused by malware developers. They were able to elevate the privileges of their 2nd stage backdoor from a restricted user to SYSTEM. I did not find any trace of previous failed attempts,” concluded Faou.