{ "id": "749b10d3-e317-4e81-b821-97641367ba6e", "created_at": "2026-04-06T00:10:54.221855Z", "updated_at": "2026-04-10T03:37:50.517302Z", "deleted_at": null, "sha1_hash": "31ecc382a260f8109597037ef4de9bcb8cc15e4e", "title": "Zero-day exploit (CVE-2018-8453) used in targeted attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 378511, "plain_text": "Zero-day exploit (CVE-2018-8453) used in targeted attacks\r\nBy AMR\r\nPublished: 2018-10-10 · Archived: 2026-04-05 20:55:37 UTC\r\nYesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a\r\nvulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft\r\non August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.\r\nIn August 2018 our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in\r\nMicrosoft Windows operating system. Further analysis into this case led us to uncover a zero-day vulnerability in\r\nwin32k.sys. The exploit was executed by the first stage of a malware installer to get necessary privileges for\r\npersistence on the victim’s system. The code of the exploit is of high quality and written with the aim of reliably\r\nexploiting as many different MS Windows builds as possible, including MS Windows 10 RS4.\r\nSo far, we detected a very limited number of attacks using this vulnerability. The victims are located in the Middle\r\nEast.\r\nKaspersky Lab products detected this exploit proactively through the following technologies:\r\n1. 1 Behavioral detection engine and Automatic Exploit Prevention for endpoints\r\n2. 2 Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA)\r\nKaspersky Lab Verdicts for the artifacts in this campaign are:\r\nHEUR:Exploit.Win32.Generic\r\nHEUR:Trojan.Win32.Generic\r\nPDM:Exploit.Win32.Generic\r\nMore information about this attack is available to customers of Kaspersky Intelligence Reports. Contact:\r\nintelreports@kaspersky.com\r\nTechnical details\r\nCVE-2018-8453 is a Use-After-Free inside win32kfull!xxxDestroyWindow that resembles an older vulnerability\r\n— CVE-2017-0263. CVE-2017-0263 was originally deployed by the Sofacy APT, together with a PostScript\r\nexploit, back in 2017.\r\nhttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nPage 1 of 8\n\nFor technical analysis of the vulnerability, we completely reverse-engineered the ITW exploit sample obtained and\r\nrewrote it into a full Proof of Concept.\r\nThe exploitation of this vulnerability depends on a sequence of events that are performed from hooks set on three\r\nusermode callback functions – fnDWORD, fnNCDESTROY, and fnINLPCREATESTRUCT. The exploit\r\ninstalls these hooks by replacing the function pointers in the KernelCallbackTable:\r\nHooked functions in the Kernel Callback Table\r\nInside the fnINLPCREATESTRUCT hook, the exploit initializes a “SysShadow” window by explicitly\r\nassigning a position to it:\r\nUsermode hook on fnINLPCREATESTRUCT initializes SysShadow\r\nWhen processing the WM_LBUTTONDOWN message, the fnDWORD hook executes the DestroyWindow\r\nfunction on the parent, which results in the window being marked as free and subsequently freed by the garbage\r\ncollector.\r\nhttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nPage 2 of 8\n\nThe issue lies inside the fnNCDESTROY hook that is performed during execution of the DestroyWindow\r\nfunction. This hook executes the NtUserSetWindowFNID syscall, which contains a flawed logic to change the\r\nfnid status of the window without properly checking if it is set to FNID_FREED.\r\nVulnerable code inside NtUserSetWindowFNID\r\nThe fnid status of the window is located at offset 0x02a in the tagWND structure:\r\nkd\u003e dt win32k!tagWND\r\n…\r\n+0x02a fnid : Uint2B\r\nWhen the scrollbar is initially created, it has the value FNID_SCROLLBAR (0x029A).\r\nThe next diagram shows the value of fnid prior and after execution of the NtUserSetWindowFNID syscall:\r\nScrollbar fnid prior and after execution of NtUserSetWindowFNID syscall\r\nWe can check what the new fnid value is by verifying it against the ReactOS source code:\r\n/* FNIDs for NtUserSetWindowFNID, NtUserMessageCall */\r\n#define FNID_SCROLLBAR 0x029A\r\n…\r\n#define FNID_BUTTON 0x02A1\r\n…\r\n#define FNID_FREED 0x8000 /* Window being Freed… */\r\nhttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nPage 3 of 8\n\nThis action results in the first scrollbar being destroyed, while the system still maintains a reference to a\r\n“SysShadow” class, as the scrollbar fnid is no longer marked as FNID_FREED, but as FNID_BUTTON instead.\r\nTo successfully reclaim the freed memory pool, the exploit contains a number of different feng shui tactics. The\r\nspray procedure is dependent on the exploited Windows version, and because the exploit targets a wide range of\r\noperating systems, it includes five separate functions for spraying:\r\nHeap spraying procedures supported in the exploit\r\nFor the latest supported version (Windows 10 RS4), the spray tactic is quite complicated. The kernel is sprayed\r\nwith bitmap objects of different size. This is required to exhaust the memory allocator to eventually bypass the\r\nLow Fragmentation Heap security mitigations that were significantly improved in the latest Windows builds:\r\nhttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nPage 4 of 8\n\nHeap Feng Shui technique for Windows RS4 17134\r\nThis leads to the following memory layout, where USERTAG_SCROLLTRACK is the freed pool allocation:\r\nhttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nPage 5 of 8\n\nFreed scrollbar heap allocation\r\nWhen another scrollbar is allocated, the SysShadow class memory reference is reused, but its contents are attacker-controlled, because the freed Usst (ffffee30044b2a10) and Gpbm (ffffee30044b2a90) pools were merged into a\r\nsingle block:\r\nFreed allocation is merged with the following pool\r\nThis results in a powerful arbitrary kernel Read\\Write using GDI Bitmap primitives that works even on the latest\r\nWindows versions.\r\nhttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nPage 6 of 8\n\nFollowing successful exploitation, a slightly modified Token-stealing payload is used to swap the current process\r\nToken value with the one from the SYSTEM EPROCESS structure:\r\nModified Token-stealing payload process\r\nSo far, we’ve observed the usage of this exploit in a small number of targeted attacks, when the exploit is\r\npackaged in a malware installer. The installer requires system privileges to install its payload. The payload is a\r\nsophisticated implant, used by the attackers for persistent access to the victims’ machines. Some of its main\r\ncharacteristics include:\r\nEncrypting the main payload using AES-256-CBC with the SHA-1 of the SMBIOS UUID (this makes it\r\nimpossible to decrypt the payload on machines other than the victim, if the SMBIOS UUID is not known)\r\nUsing Microsoft BITS (Background Intelligent Transfer Service) for communicating with its C\u0026C servers,\r\nan unusual technique\r\nStoring the main payload in a randomly named file on disk; the loader contains a hash of the filename and\r\nattempts to find the payload by comparing the filename hash for all files in the Windows directory\r\nMore details on this malware and the APT behind it are available to customers of Kaspersky Intelligence\r\nReporting. Contact: intelreports@kaspersky.com\r\nhttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nPage 7 of 8\n\nVictims\r\nThe distribution of the attack seems to be highly targeted, affecting less than a dozen victims in the Middle East\r\nregion, according to our telemetry.\r\nAttribution\r\nDuring our investigation, we discovered the attackers were using a PowerShell backdoor that has previously been\r\nseen exclusively used by the FruityArmor APT. There is also an overlap in the domains used for C2 between this\r\nnew set of activity and previous FruityArmor campaigns. That makes us assess with medium confidence that\r\nFruityArmor is responsible for the attacks leveraging CVE-2018-8453.\r\nConclusion\r\nEven when deploying 0-days seems to be more frequent than it used to be, this would be the second time we have\r\nspotted FruityArmor using one of them to distribute its malware. This points to the resources and sophistication of\r\nthis actor, along with the advanced final-stager they distribute.\r\nSo far, this campaign has been extremely targeted, affecting a very low number of victims in the Middle East\r\nregion, probably persons of interest for the attackers. However, the victimology is not clear, especially with such a\r\nsmall number of victims involved.\r\nWe believe that although FruityArmor´s activity has been slowly increasing during the last two years, the\r\nextremely targeted nature of the attacks helps them fly below the radar.\r\nAppendix I – Indicators of compromise:\r\nDomains:\r\nweekendstrips[.]net\r\nshelves-design[.]com\r\nSource: https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nhttps://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/" ], "report_names": [ "88151" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434254, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/31ecc382a260f8109597037ef4de9bcb8cc15e4e.pdf", "text": "https://archive.orkl.eu/31ecc382a260f8109597037ef4de9bcb8cc15e4e.txt", "img": "https://archive.orkl.eu/31ecc382a260f8109597037ef4de9bcb8cc15e4e.jpg" } }