{
	"id": "6f61f446-8b4a-464a-99e2-f3463289c79d",
	"created_at": "2026-04-06T00:10:15.320712Z",
	"updated_at": "2026-04-10T13:13:04.810942Z",
	"deleted_at": null,
	"sha1_hash": "bf7cbbfa87400f63d0832d317f90596a3fc1ae31",
	"title": "Microsoft Offers Analysis of Zero-Day Exploited By Zirconium Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39329,
	"plain_text": "Microsoft Offers Analysis of Zero-Day Exploited By Zirconium\r\nGroup\r\nBy Tom Spring\r\nPublished: 2017-03-28 · Archived: 2026-04-05 13:13:55 UTC\r\nMicrosoft patched a zero-day vulnerability actively used in a campaign by a hacking group known as Zirconium.\r\nMicrosoft has released technical details on a zero-day vulnerability being exploited by a little-known APT group\r\nknown as Zirconium. According to the company the vulnerability (CVE-2017-0005) affects mostly older versions\r\nof Windows and can allow an adversary to execute remote code if a user either visits a specially crafted website or\r\nopens a rigged document.\r\nThe vulnerability, outlined Monday in a technical paper by Microsoft, affects the Windows Win32k component in\r\nthe Windows GDI (Graphics Device Interface). If exploited it could potentially allow an adversary to launch an\r\nelevation of privilege attack.\r\n“Attackers are not as much focusing on legacy systems but avoiding security enhancements present in modern\r\nhardware and current platforms like Windows 10 Anniversary Update,” according to Matt Oh, a member of\r\nMicrosoft’s Windows Defender ATP Research Team, who authored the report.\r\nThe GDI library vulnerability was patched on March 14 with MS17-013. At the time, Microsoft did not disclose\r\nthe vulnerability was being actively exploited however. The bug discloses data through memory and was revealed\r\nby Google’s engineer Mateusz Jurczyk. Microsoft originally patched the vulnerability (CVE-2017-0038) in June\r\n2016 classifying it as important. But in February, Google’s Project Zero security researchers discovered the fix\r\nwas incomplete.\r\nAfter skipping February’s round of Patch Tuesday updates, the company has released additional insights into the\r\nvulnerability.\r\nA technical breakdown of the exploit by Microsoft revealed the zero-day EoP exploit targets computers running\r\nWindows 7 and Windows 8. According to researchers, there are four execution stages of the exploit package and\r\ncorresponding functions.\r\nStage 1 is decrypting the initial main exploit code’s PE file using AES-256 algorithm. A hard-coded password is\r\nused as a key to decrypt the loader for the next stage. State 2 includes the API resolution routine, resembling, as\r\nMicrosoft notes, how shellcode or position-independent code works. State 3 includes determining the identity of\r\nthe operating system platform and version number.\r\nThe actual exploit routine comprises stage 4.\r\n“After the environmental checks, the attacker code begins actual exploit of the Windows kernel vulnerability\r\nCVE-2017-0005, resulting in arbitrary memory corruption and privileged code execution,” Oh wrote.\r\nhttps://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/\r\nPage 1 of 2\n\nInteresting to researchers, is the code execution used by Zirconium is made possible by a corrupted pointer in the\r\nPALETTE.pfnGetNearestFromPalentry function, which is designed to execute code in the kernel courtesy of a\r\nmalformed PALETTE object. This, according to Oh, is an exploitation technique Microsoft security researchers\r\nhave been tracking closely for years.\r\n“Observed in an unrelated sample used during the Duqu incident, we have described this relatively old exploit\r\ntechnique in a Virus Bulletin 2015 presentation,” Oh wrote. Duqu attackers were believed to be behind attacks\r\nagainst certificate authorities and spy campaigns on Iran’s nuclear program.\r\nMicrosoft said, while the use of a malformed PALETTE object ties Duqu and Zirconium exploits together,\r\nhowever the way they take advantage of the vulnerability is different.\r\n“This difference clearly indicates that these two exploits are unrelated, despite similarities in their code—\r\nsimilarities that can be attributed to the fact that these exploitation techniques are well-documented,” Oh said.\r\nIn fact, it’s the corrupted pointer in the PALETTE.pfnGetNearestFromPalentry function that Microsoft has based\r\nmitigation around CVE-2017-0005 on. In August 2016, with the Windows 10 Anniversary Update, Microsoft\r\nreleased tactical mitigations designed to prevent the abuse of pfnGetNearestFromPalentry, the company claims.\r\nOn the flip side of tactical mitigation are strategic mitigation efforts that include Supervisor Mode Execution\r\nPrevention (SMEP), supported by newer model Intel CPUs, and virtualization-based security (VBS).\r\n“Strategic mitigation like SMEP can effectively raise the bar for a large pool of attackers by instantly rendering\r\nhundreds of EoP exploits ineffective, including old-school exploitation methods that call user-mode shellcode\r\ndirectly from the kernel, such as the zero-day exploit for CVE-2017-0005,” Oh wrote.\r\nIn some instances, Microsoft acknowledges, that sophisticated attackers have been able to work around SMEP\r\nprotections.\r\n“These bypass mechanisms include the use of kernel ROP gadgets or direct PTE modifications through read-write\r\n(RW) primitives,” he said.\r\nTo address these bypass mechanisms Microsoft said it made improvements to Windows kernel 64-bit memory-protection process ASLR it introduced with Windows 10 Anniversary Update. ASLR coupled with the OS makes\r\nSMEP stronger via randomized kernel addresses, mitigating a bypass vector resulting from direct PTE corruption,\r\nthe company said.\r\n“While patches continue to provide single-point fixes for specific vulnerabilities, this attacker behavior highlights\r\nhow built-in exploit mitigations like SMEP, the ASLR improvements, and virtualization-based security are\r\nproviding resiliency,” Oh said.\r\nOh claims Microsoft is continuing to actively research Zirconium, the APT group it identified as actively\r\nexploiting the CVE-2017-0005 vulnerability.\r\nSource: https://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/\r\nhttps://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/microsoft-offers-analysis-of-zero-day-being-exploited-by-zirconium-group/124600/"
	],
	"report_names": [
		"124600"
	],
	"threat_actors": [
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "dc7ee503-9494-4fb6-a678-440c68fd31d8",
			"created_at": "2022-10-25T16:07:23.349177Z",
			"updated_at": "2026-04-10T02:00:04.552639Z",
			"deleted_at": null,
			"main_name": "APT 31",
			"aliases": [
				"APT 31",
				"Bronze Vinewood",
				"G0128",
				"Judgment Panda",
				"Red Keres",
				"RedBravo",
				"TA412",
				"Violet Typhoon",
				"Zirconium"
			],
			"source_name": "ETDA:APT 31",
			"tools": [
				"9002 RAT",
				"Agent.dhwf",
				"AngryRebel",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"GrewApacha",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Kaba",
				"Korplug",
				"McRAT",
				"MdmBot",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"RedDelta",
				"Roarur",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf7cbbfa87400f63d0832d317f90596a3fc1ae31.pdf",
		"text": "https://archive.orkl.eu/bf7cbbfa87400f63d0832d317f90596a3fc1ae31.txt",
		"img": "https://archive.orkl.eu/bf7cbbfa87400f63d0832d317f90596a3fc1ae31.jpg"
	}
}