Researchers built a profile of one of the most active exploit developers for Windows, known as “Volodya” or “BuggiCorp”
The developers created 15 of 16 Windows LPE exploits traced dated between 2015-2019, including several zero-days, constituting a large share of the Windows LPE exploitation market
Customers of exploit developers include a diverse clientele: banking trojan authors such as Ursnif, ransomware authors such as GandCrab, Cerber and Magniber, and Russian APT groups such as Turla, APT28 and Buhtrap.
Security researchers at Check Point have developed a technique to identify the developers of the exploits for software vulnerabilities, including zero-day exploits which are highly prized by malware authors.
By recognizing the unique ‘hand-writing’ of individual exploit developers, which is as identifiable as a fingerprint, security researchers were able to:
- Detect the presence of exploits written by these exploit developers in specific malware families
- Detect additional exploits written by the same developer, as they share a common ‘fingerprint.’ This enabled the detection of zero-day exploits written by these developers
- Block all malware families that use a given exploit from a developer that has been studied and fingerprinted
For new malware to be created, vulnerabilities have to be found in software for which a patch or fix does not exist (known as a zero-day vulnerability) or has not yet been widely applied.
Specialist ‘exploit developers’ search for these software vulnerabilities, write code to take advantage of them, and then sell their code to the highest bidders, who then build malware based on it.
Check Point’s researchers found a method of identifying and tracking exploit developers, with the aim of helping to reduce the flow of new zero-day and critical exploits.
Researchers found unique identifiers that could be associated with specific exploit developers by analyzing code, and looking for specific characteristics in the way code was written – in the same way that a graphologist analyzes handwriting, or a fingerprint specialist examines in prints from a crime scene.
Using these analysis methods, Check Point researchers uncovered the work of one of the most active and prevalent exploit developers for the Windows Kernel, called “Volodya”, also known as “BuggiCorp”. Volodya sells exploits for both zero-day and critical vulnerabilities.
Check Point Research found Volodya had been active at least since 2015 and was able to track down 11 different exploits they had written for the Windows Kernel.
Some of their customers include popular crimeware like Dreambot and Magniber, as well as nation-state malware families such as Turla and APT28, which are commonly linked to Russia.
The second exploit developer and seller that Check Point researchers analyzed and fingerprinted is known as “PlayBit” or “luxor2008”.
They only sell exploits for critical vulnerabilities. Check Point researchers were able to find 5 different exploits that were developed by PlayBit and sold to prominent crimeware groups such as REvil and Maze. Both are known for developing notorious ransomware.
Malware Researcher at Check Point, Itay Cohen, said: “This research provides rare insight into how the black market for exploits works. When Check Point finds a vulnerability, we demonstrate its severity, report it to the appropriate vendor, and make sure it’s patched, so it doesn’t pose a threat. However, for individuals trading these exploits, it’s a completely different story. For them, finding the vulnerability is just the beginning. They need to reliably exploit it on as many versions of software and platforms as possible, in order to monetize it to a customer’s satisfaction.
“This research provides insight into how that is achieved, and the buyers in this market, which often include nation-state actors. We believe that this research methodology can be used to identify additional exploit writers. We recommend other researchers try our suggested technique and adopt it as an additional tool in their arsenal.”