{
	"id": "6ae5d1bd-4380-4619-8cb7-84f858ce591f",
	"created_at": "2026-04-06T00:22:11.522139Z",
	"updated_at": "2026-04-10T03:20:07.59657Z",
	"deleted_at": null,
	"sha1_hash": "4aa58052e825a1c2a68d7d12894e662653c9e829",
	"title": "Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 283863,
	"plain_text": "Threat Actor Leverages Windows Zero-day Exploit in Payment\r\nCard Data Attacks | Mandiant\r\nBy Mandiant\r\nPublished: 2016-05-11 · Archived: 2026-04-02 12:45:10 UTC\r\nWritten by: Dhanesh Kizhakkinan, Yu Wang, Dan Caselden, Erica Eng\r\nIn March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily\r\ntargeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word\r\ndocuments with embedded macros that, when enabled, downloaded and executed a malicious downloader that we\r\nrefer to as PUNCHBUGGY.\r\nPUNCHBUGGY is a dynamic-link library (DLL) downloader, existing in both 32-bit and 64-bit versions, that can\r\nobtain additional code over HTTPS. This downloader was used by the threat actor to interact with compromised\r\nsystems and move laterally across victim environments.\r\nFireEye identified more than 100 organizations in North America that fell victim to this campaign. FireEye\r\ninvestigated a number of these breaches and observed that the threat actor had access to relatively sophisticated\r\ntools including a previously unknown elevation of privilege (EoP) exploit and a previously unnamed point of sale\r\n(POS) memory scraping tool that we refer to as PUNCHTRACK.\r\nCVE-2016-0167 – Microsoft Windows Zero-Day Local Privilege Escalation\r\nIn some victim environments, the threat actor exploited a previously unknown elevation of privilege (EoP)\r\nvulnerability in Microsoft Windows to selectively gain SYSTEM privileges on a limited number of compromised\r\nmachines (Figure 1).\r\nhttps://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html\r\nPage 1 of 6\n\nFigure 1: CVE-2016-0167 Local privilege escalation exploit elevates to system\r\nWe coordinated with Microsoft, who patched CVE-2016-0167 on the April 12, 2016, Patch Tuesday (MS16-039).\r\nWorking together, we were able to observe limited, targeted use of this particular exploit dating back to March 8,\r\n2016.\r\nThe Threat Actor\r\nWe attribute the use of this EoP to a financially motivated threat actor. In the past year, not only have we observed\r\nthis group using similar infrastructure and tactics, techniques, and procedures (TTPs), but they are also the only\r\ngroup we have observed to date who uses the downloader PUNCHBUGGY and POS malware PUNCHTRACK.\r\nDesigned to scrape both Track 1 and Track 2 payment card data, PUNCHTRACK is loaded and executed by a\r\nhighly obfuscated launcher and is never saved to disk.\r\nThis actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational\r\nawareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of an EoP\r\nexploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the\r\nthreat actors’ operational maturity and sophistication.\r\nExploitation Details\r\nWin32k!xxxMNDestroyHandler Use-After-Free\r\nhttps://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html\r\nPage 2 of 6\n\nCVE-2016-0167 is a local elevation of privilege vulnerability in the win32k Windows Graphics subsystem. An\r\nattacker who had already achieved remote code execution (RCE) could exploit this vulnerability to elevate\r\nprivileges. In the attack from the wild, attackers first achieved RCE with malicious macros in documents attached\r\nto spear phishing emails. They then downloaded and ran a CVE-2016-0167 exploit to run subsequent code as\r\nSYSTEM.\r\nCVE-2016-0167 is patched as of April 12, 2016, meaning the attacker’s EoP exploit will no longer function on\r\nfully updated systems. Microsoft released an additional update (MS16-062) on May 10, 2016, to further improve\r\nWindows against similar issues.\r\nVulnerability Setup\r\nFirst, the exploit calls CreateWindowEx() to create a main window. It sets the WNDCLASSEX.lpfnWndProc field\r\nto a function that we name WndProc. It installs an application-defined hook (that we name MessageHandler) and\r\nan event hook (that we name EventHandler) using SetWindowsHookEx() and SetWinEventHook(), respectively.\r\nNext, it creates a timer with IDEvent 0x5678 in SetTimer(). When the timeout occurs, WndProc receives the\r\nWM_TIMER message and will invoke TrackPopupMenuEx() to display a shortcut menu. EventHandler will\r\ncapture the EVENT_SYSTEM_MENUPOPUPSTART event from xxxTrackPopupMenuEx()and post a message\r\nto the kernel. In handling the message, the kernel eventually calls the vulnerable function\r\nxxxMNDestroyHandler(), which calls the usermode callback MessageHandler. MessageHandler then causes a\r\nuse-after-free scenario by calling DestroyWindow()\r\nHeap Control\r\nThe exploit uses SetSysColors() to perform heap Feng Shui which manipulates the layout of the heap by carefully\r\nmaking heap allocations. In the following snippet, one of the important fields is at address fffff900`c1aaac40,\r\nwhere fffff900`c06a0422 is a window kernel object’s (tagWND) base address plus 0x22:\r\nMemory Corruption\r\nhttps://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html\r\nPage 3 of 6\n\nThe USE operation occurs at HMAssignmentUnlock()+0x14 as shown below:\r\nSince RDX contains the base address of tagWND plus 0x22, this instruction will add 0xffffffff to the\r\nwin32k!tagWND.state field, changing its value from 0x07004000 to 0x07003fff. 0x07004000 indicates that the\r\nbServerSideWindowProc flag is unset. When the change occurs, it sets the bServerSideWindowProc flag as shown\r\nbelow.\r\nCode Execution\r\nIf a window is marked as server-side (bServerSideWindowPro is set), the lpfnWndProc function pointer will be\r\ntrusted by default and this can be user-mode shellcode. The following backtrace shows the kernel calling the\r\nexploit’s shellcode:\r\nhttps://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html\r\nPage 4 of 6\n\nThe shellcode then steals the System process token to elevate a child cmd.exe process.\r\nMitigation\r\nFireEye products and services identify this activity as Exploit.doc.MVX, Malware.Binary.Doc, PUNCHBUGGY,\r\nMalware.Binary.exe, and PUNCHTRACK within the user interfaces.\r\nThe latest Windows updates address CVE-2016-0167, and fully protect systems from exploits targeting CVE-2016-0167.\r\nIn addition, effective mitigations exist to prevent social engineering attacks that utilize Office macros. Individual\r\nusers can disable Office macros in their settings and enterprise administrators can enforce a Group Policy to\r\ncontrol macro execution for all Office 2016 users. Read more about office macro attacks and mitigations.\r\nAcknowledgements\r\nThank you to Elia Florio and the Secure@ staff of Microsoft, and Dimiter Andonov, Erye Hernandez, Nick\r\nRichard, and Ryann Winters of FireEye for their collaboration on this issue.\r\nPosted in\r\nThreat Intelligence\r\nhttps://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html\r\nPage 5 of 6\n\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html\r\nhttps://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html"
	],
	"report_names": [
		"windows-zero-day-payment-cards.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434931,
	"ts_updated_at": 1775791207,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4aa58052e825a1c2a68d7d12894e662653c9e829.pdf",
		"text": "https://archive.orkl.eu/4aa58052e825a1c2a68d7d12894e662653c9e829.txt",
		"img": "https://archive.orkl.eu/4aa58052e825a1c2a68d7d12894e662653c9e829.jpg"
	}
}