CVE-2019-0797 Windows Zero-Day exploited by FruityArmor and SandCat APT Groups

One of the zero-day flaws (CVE-2019-0797) patched this week by Microsoft has been exploited in targeted attacks by several threats groups, including FruityArmor and SandCat APT groups.

This week, Microsoft released Patch Tuesday Security Update for March 2019 that address 64 flaws, including two Windows zero-day vulnerabilities exploited in targeted attacks.

One of the flaws, tracked as CVE-2019-0808, was disclosed by Google’s Threat Analysis Group after it has observed targeted attacks exploiting the issue alongside a recently addressed flaw in Chrome flaw (CVE-2019-5786).

The second zero-day, tracked as CVE-2019-0797, was reported to Microsoft by experts at Kaspersky Lab, which states the issue has been exploited by several threat actors, including FruityArmor and SandCat APT groups.

FruityArmor is a cyber-espionage group that was first observed in 2016 while targeting activists, researchers, and individuals related to government organizations in Thailand, Iran, Algeria, Yemen, Saudi Arabia, and Sweden. Experts believe FruityArmor´s activity has been slowly increasing during the last two years, the group

In October 2018, FruityArmor exploited another Windows zero-day in targeted attacks aimed at entities in the Middle East.

The SandCat APT was discovered by Kaspersky Lab at the end of 2018 when the group used a flaw (CVE-2018-8611) addressed with security updates released by Microsoft in December.

The CVE-2018-8611 is a race condition that resides in the Kernel Transaction Manager, and most interesting, it could be used to escape the sandbox of the Chrome and Edge web browsers.

The vulnerability was reported to Microsoft by Kaspersky Lab that in two months reported other two Windows zero-days, CVE-2018-8453 and CVE-2018-8589, respectively exploited by FruityArmor and multiple threat actors in attacks mostly aimed at the Middle East.

SandCat was also using the FinFisher/FinSpy spyware and the CHAINSHOT malware,

“we believe this exploit is used by several threat actors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used zero-days before, SandCat is a new APT we discovered only recently.” reads the analysis published by Kaspersky Lab.

“In addition to CVE-2019-0797 and CHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.”

CVE-2019-0797

At the time of writing, Kaspersky Lab does not have any information about the targets of the attacks involving the CVE-2019-0797.

The CVE-2019-0797 vulnerability is the fourth zero-day vulnerability actively exploited in recent months by Kaspersky.