Exploitation of 0-day vulnerability in Yandex.Browser for persistence

The Russian cybersecurity landscape is now characterized by an ever-growing number of APT attacks on Russian companies. Intruders try to disrupt production processes, stop business operations and exfiltrate information. All of these results in downtime, audits, infrastructure overhauls, etc., which translates into lost profits. Moreover, criminals can be very resourceful in achieving their goals, exploiting all kinds of previously unknown vulnerabilities. Doctor Web has uncovered an APT attack that stands out among others for its rather unusual way to achieve persistence.

In this attack, the criminals attempted to exploit the previously unknown DLL Search Order Hijacking vulnerability in popular Russian browser Yandex.Browser to gain a long-term persistence on the compromised system. The hijacking of the browser would allow attackers to bypass firewalls, create processes from the context of Yandex.Browser, execute commands, etc. The DLL itself is designed to download a previously unseen modular trojan.

In our presentation, we will cover the following aspects of the attack: initial access, execution, persistence, C&C, and evasion. We will also examine the malware involved.

Ivan Korolev – Doctor Web, Ltd.

Ivan Korolev joined Doctor Web in 2014 as a malware analyst and since 2019 has been working as a team leader for botnet research team. He is focused on analyzing targeted attacks, botnets and emerging threats. He likes to find vulnerabilities and participate in bug bounties in spare time.

Igor Zdobnov – Doctor Web, Ltd.

Igor Zdobnov joined Doctor Web in 2002 as a malware analyst and since 2009 has been working as a chief malware analyst. He is leading different security projects inside the company, threat intelligence, threat detection and prevention. He is passionate in malware analysis, reverse engineering and building machine learning malware detection systems.