{ "id": "372637bd-1cb5-43e4-a3fa-378fdb97e5a4", "created_at": "2026-04-06T00:16:39.228199Z", "updated_at": "2026-04-10T03:25:12.82322Z", "deleted_at": null, "sha1_hash": "c908b3913cfb795ae11ebaee4424e0bc6ff6bed5", "title": "PowerPool malware exploits ALPC LPE zero-day vulnerability", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 210930, "plain_text": "PowerPool malware exploits ALPC LPE zero-day vulnerability\r\nBy Matthieu Faou\r\nArchived: 2026-04-05 20:46:22 UTC\r\nUpdate (11 September 2018): Microsoft has provided a patch for this in today’s Windows Update.\r\nOn August 27, 2018, a so-called zero-day vulnerability affecting Microsoft Windows was published on GitHub\r\nand publicized via a rather acerbic tweet.\r\nSource: Twitter\r\nIt seems obvious that this was not part of a coordinated vulnerability disclosure and there was no patch at the time\r\nthis tweet (since deleted) was published to fix the vulnerability.\r\nIt affects Microsoft Windows OSes from Windows 7 to Windows 10, and in particular the Advanced Local\r\nProcedure Call (ALPC) function, and allows a Local Privilege Escalation (LPE). LPE allows an executable or\r\nhttps://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/\r\nPage 1 of 7\n\nprocess to escalate privileges. In that specific case, it allows an executable launched by a restricted user to gain\r\nadministrative rights.\r\nThe tweet linked to a GitHub repository that contains Proof-of-Concept code for the exploit. Not only was a\r\ncompiled version released – the source code was also. Consequently, anyone can modify and recompile the\r\nexploit, in order to \"improve it\", evade detection, or even incorporate it into their code.\r\nAs one could have predicted, it took only two days before we first identified the use of this exploit in a malicious\r\ncampaign from a group we have dubbed PowerPool. This group has a small number of victims and according to\r\nboth our telemetry and uploads to VirusTotal (we only considered manual uploads from the web interface), the\r\ntargeted countries include Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United\r\nStates and Ukraine.\r\nPowerPool arsenal\r\nThis newly isolated group already has quite a range of tools at its disposal. We will provide brief analyses of some\r\nof them here.\r\nALPC Local Privilege Escalation exploit\r\nThe PowerPool developers did not reuse the binary that was provided by the vulnerability’s discloser. They\r\nmodified the source code slightly and recompiled it.\r\nThe exploit has been documented by its original author and has been covered by security researchers and CERTs.\r\nFigure 1 - Description of the exploit by its author\r\nThe flaw is in the SchRpcSetSecurity API function, which does not check the user’s permissions correctly. Thus, a\r\nuser can have write permissions on any file in C:\\Windows\\Task regardless of its actual permissions. That allows a\r\nuser with only read permissions to replace the content of a write-protected file.\r\nAs any user is able to write in C:\\Windows\\Task, it is possible to create a file in this folder that is a hard link to\r\nany target file. Then, by calling the broken function SchRpcSetSecurity, it is possible to gain write access to that\r\ntarget file. To create a Local Privilege Escalation, the attacker needs to choose the target file that will be\r\noverwritten. This needs to be done carefully: it needs to be a file that is executed automatically with administrative\r\nrights. For example, it can be a system file, or the updater of previously installed software that is regularly\r\nexecuted by a task. The final step is to replace the content of this protected target file with malicious code. Thus,\r\nat the next automatic execution, the malware will have administrative rights regardless of its original rights.\r\nhttps://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/\r\nPage 2 of 7\n\nPowerPool’s developers chose to change the content of the file C:\\Program Files\r\n(x86)\\Google\\Update\\GoogleUpdate.exe. This is the legitimate updater for Google applications and is regularly\r\nrun under administrative privileges by a Microsoft Windows task.\r\nFigure 2 - Creation of a hardlink to the Google Updater\r\nFigure 3 - Abuse of SchRpcCreateFolder to change the permissions of the Google Updater executable\r\nThe sequence of operations shown in the figure above allows the PowerPool operators to gain write access to the\r\nexecutable GoogleUpdate.exe. Then, they overwrite it with a copy of their second-stage malware, described\r\nbelow, in order to gain SYSTEM privileges the next time the updater is called.\r\nInitial compromise\r\nThe PowerPool group uses different approaches to initially compromise a victim. One is to send emails with their\r\nfirst-stage malware as an attachment. It may be too early to say, but to date we've seen very few occurrences in our\r\ntelemetry, so we assume that the recipients are carefully chosen rather than PowerPool running a massive spam\r\ncampaign.\r\nOn the other hand, we know that their spams have been spotted in the past. According to a SANS blogpost\r\nreleased in May 2018, they used a trick with Symbolic Link (.slk) files to distribute their malware. Microsoft\r\nExcel can load these files that update a cell and force Excel to execute PowerShell code. These .slk files seem to\r\nbe distributed in spam messages too. Pivoting from the first file mentioned in the SANS blogpost (SHA-1:\r\nb2dc703d3af1d015f4d53b6dbbeb624f5ade5553), on VirusTotal, it is possible to find the related spam sample\r\n(SHA-1: e0882e234cba94b5cf3df2c05949e2e228bedd2b):\r\nhttps://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/\r\nPage 3 of 7\n\nFigure 4 - PowerPool spam message\r\nWindows backdoors\r\nThe PowerPool group mainly uses two different backdoors: a first-stage backdoor used just after the first\r\ncompromise and then a second-stage backdoor, probably on the most interesting machines.\r\nFirst-stage backdoor\r\nThis is basic malware used for reconnaissance on the machine. It comprises two Windows executables.\r\nThe first of these is the main backdoor. It establishes persistence through a service. It also creates a mutex named\r\nMyDemonMutex%d where %d ranges from 0 to 10. It is able to collect proxy information and the address of the\r\nC\u0026C server is hardcoded into this binary. It can execute commands and performs some basic reconnaissance of\r\nthe machine, which is then exfiltrated to the C\u0026C server.\r\nhttps://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/\r\nPage 4 of 7\n\nFigure 5 - Gathering of proxy information\r\nThe second of these executables has a single purpose. It takes a screenshot of the victim’s display and writes it in\r\nMyScreen.jpg. This file can then be exfiltrated by the main backdoor.\r\nSecond-stage backdoor\r\nThis malware is downloaded via the first stage, presumably when the operators believe the machine is interesting\r\nenough for them to stay on it for a longer time. However, it is clearly not a state-of-the-art APT backdoor.\r\nAgain, the C\u0026C server address is hardcoded in the binary, and has no mechanism to update this crucial\r\nconfiguration item. This backdoor seeks commands from http://[C\u0026C domain]/cmdpool and downloads additional\r\nfiles from http://[C\u0026C domain]/upload. These additional files are mainly the lateral-movement tools mentioned\r\nbelow.\r\nThe supported commands are:\r\nExecute a command\r\nKill a process\r\nUpload a file\r\nDownload a file\r\nList a folder\r\nThey are sent in JSON format. The examples below are instructions to execute a command and to list a folder:\r\nhttps://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/\r\nPage 5 of 7\n\nFigure 6 - Examples of backdoor commands\r\nLateral movement tools\r\nOnce the PowerPool operators have persistent access to a machine with the second-stage backdoor, they use\r\nseveral open-source tools, mostly written in PowerShell, to move laterally on the network.\r\nPowerDump: This is a Metasploit module that can retrieve usernames and hashes from the Security\r\nAccount Manager (SAM).\r\nPowerSploit: This is a post-exploitation framework in PowerShell, à la Metasploit.\r\nSMBExec: A PowerShell tool to perform pass-the-hash SMB connections.\r\nQuarks PwDump: A Windows executable that can retrieve Windows credentials.\r\nFireMaster: A Windows executable that can retrieve stored passwords from Outlook, web browsers, etc.\r\nConclusion\r\nThe disclosure of vulnerabilities outside of a coordinated disclosure process generally puts many users at risk. In\r\nthis case, even the most up-to-date version of Windows could be compromised as no patch was released when the\r\nvulnerability and exploit were published. The CERT-CC provides some mitigations but Microsoft has not\r\nofficially approved them.\r\nThis specific campaign targets a limited number of users, but don’t be fooled by that: it shows that cybercriminals\r\nalso follow the news and work on employing exploits as soon as they are publicly available.\r\nESET Researchers will continue tracking any malicious usage of this new vulnerability. Indicators of Compromise\r\ncan also be found on GitHub. For any inquiries, or to make sample submissions related to the subject, contact us\r\nat threatintel@eset.com.\r\nUpdate (11 September 2018): Microsoft has provided a patch for this in today's Windows Update.\r\nIndicators of compromise\r\nHashes\r\nSHA-1 Type Detection name\r\n038f75dcf1e5277565c68d57fa1f4f7b3005f3f3 First stage backdoor Win32/Agent.SZS\r\n247b542af23ad9c63697428c7b77348681aadc9a First stage backdoor Win32/Agent.TCH\r\n0423672fe9201c325e33f296595fb70dcd81bcd9 Second stage backdoor Win32/Agent.TIA\r\nb4ec4837d07ff64e34947296e73732171d1c1586 Second stage backdoor Win32/Agent.TIA\r\n9dc173d4d4f74765b5fc1e1c9a2d188d5387beea ALPC LPE exploit Win64/Exploit.Agent.H\r\nhttps://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/\r\nPage 6 of 7\n\nDetection names\r\nWin32/Agent.SZS\r\nWin32/Agent.TCH\r\nWin32/Agent.TEL\r\nWin32/Agent.THT\r\nWin32/Agent.TDK\r\nWin32/Agent.TIA\r\nWin32/Agent.TID\r\nC\u0026C servers\r\nnewsrental[.]net\r\nrosbusiness[.]eu\r\nafishaonline[.]eu\r\nsports-collectors[.]com\r\n27.102.106[.]149\r\nSource: https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/\r\nhttps://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" ], "report_names": [ "powerpool-malware-exploits-zero-day-vulnerability" ], "threat_actors": [ { "id": "62985c5c-6938-4365-8432-29573e99ecf4", "created_at": "2022-10-25T16:07:24.075092Z", "updated_at": "2026-04-10T02:00:04.859737Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [], "source_name": "ETDA:PowerPool", "tools": [ "ALPC Local PrivEsc", "FireMaster", "PowerDump", "PowerSploit", "Quarks PwDump", "SMBExec" ], "source_id": "ETDA", "reports": null }, { "id": "adee5dfb-98d1-488f-969d-48eed28cd7e4", "created_at": "2023-01-06T13:46:38.799427Z", "updated_at": "2026-04-10T02:00:03.105089Z", "deleted_at": null, "main_name": "PowerPool", "aliases": [ "IAmTheKing" ], "source_name": "MISPGALAXY:PowerPool", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434599, "ts_updated_at": 1775791512, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c908b3913cfb795ae11ebaee4424e0bc6ff6bed5.pdf", "text": "https://archive.orkl.eu/c908b3913cfb795ae11ebaee4424e0bc6ff6bed5.txt", "img": "https://archive.orkl.eu/c908b3913cfb795ae11ebaee4424e0bc6ff6bed5.jpg" } }