Recent developments in cybersecurity research have shed light on the complex world of malware development, emphasizing how it often involves collaboration among specialized individuals. This collaborative effort raises the question of whether the code produced carries fingerprints that could potentially identify the authors behind it.

On Friday, cybersecurity researchers introduced a new methodology aimed at identifying exploit authors by analyzing the unique characteristics of their code. The researchers were able to connect 16 Windows local privilege escalation exploits to two prominent zero-day vendors known as “Volodya” and “PlayBit.”

According to researchers from Check Point, the traditional approach of tracking entire malware families was set aside in favor of a focused analysis on specific functions crafted by the exploit developers. This shift in strategy revealed their unique coding habits, facilitating a trail back to initial exploits.

Characterizing Exploit Development Patterns

This innovative technique essentially creates a fingerprint of an exploit based on distinct artifacts associated with its developer. These artifacts may include hard-coded values, specific naming conventions, or the organizational structure of the code itself.

This analytical approach was prompted by a complex cyberattack targeting one of Check Point’s clients, which involved a 64-bit malware executable exploiting CVE-2019-0859 for privilege escalation. Notably, researchers discovered that the exploit and the accompanying malware were produced by different teams. This information enabled them to reverse-engineer the binary’s properties, thus revealing at least 11 additional exploits tied to the developer “Volodya.”

Researchers pointed out that successful exploit hunters typically come from specialized teams that may not overlap with malware developers, who often seek to integrate exploits into their already defined structures without concern for underlying details.

Volodya, believed to have origins in Ukraine, has been an active seller of Windows zero-day vulnerabilities to various criminal organizations, charging prices ranging from $85,000 to $200,000. Notably, one of his exploits involved a memory corruption flaw in “NtUserSetWindowLongPtr” (CVE-2016-7255), which has been exploited by various ransomware families.

Over the years, five zero-day and six one-day exploits were attributed to Volodya from 2015 to 2019. Following the same analytical framework, researchers identified five additional local privilege escalation exploits related to another developer known as PlayBit.

Diverse Clientele and Evolving Tactics

Upon examining the shared code characteristics among the exploits, researchers noted consistent exploitation methodologies from both developers. Interestingly, Volodya’s practices have evolved, shifting from offering exploits as embeddable source code to providing utilities that interface through specific APIs.

Volodya’s clientele extends beyond ransomware groups, serving various threat actors and APT groups, including Turla and APT28. This trend suggests that even sophisticated state-sponsored actors are resorting to purchasing exploits instead of developing them in-house.

These findings underscore the evolving landscape of cyber threats and the leverage points available for mitigation. The use of unique code signatures to track exploit developers holds promise for deeper insight into the exploit market. As noted by Cohen from Check Point, identifying and reporting vulnerabilities is essential, yet for exploit traders, the challenge lies in reliably exploiting these vulnerabilities across various platforms to maximize their profit potential.

As the frequency and sophistication of cyberattacks continue to escalate, this research could aid in pinpointing additional exploit authors and understanding their connections within the underbelly of the cybercrime ecosystem.