Attackers linked to the Play ransomware group exploited a zero-day Windows privilege escalation vulnerability (CVE-2025-29824) to deploy the Grixba infostealer in a US organization before the patch release. Various tools and batch scripts were used for privilege escalation and persistence. (Affected: US organizations, North America, South America, Europe, Windows environment)
Keypoints :
- Play ransomware-linked attackers exploited zero-day CVE-2025-29824 in the CLFS driver prior to patch release on April 8, 2025.
- The exploit allowed privilege escalation but ransomware was not deployed; instead, the Grixba infostealer was installed.
- Initial access likely via a public-facing Cisco ASA firewall, moving laterally to Windows machines.
- Attackers used fake Palo Alto software-named files and other hacktools stored in a user’s Music folder.
- PowerShell was used to query Active Directory for details on networked machines, saving output as a CSV.
- The exploitation involved race conditions triggering use-after-free on the CClfsLogCcb structure within Windows kernel memory.
- Exploit created files (PDUDrv.blf and clssrv.inf DLL) used to inject into winlogon.exe and launch batch scripts for privilege escalation and persistence.
- Batch scripts dumped registry hives, created a new admin user, adjusted registry policies, and cleaned up evidence.
- Microsoft stated other threat actors (Storm-2460 group) also exploited this zero-day with a different delivery mechanism (PipeMagic malware).
- Use of zero-day vulnerabilities by ransomware groups like Balloonfly and Black Basta is rare but increasingly observed.
MITRE Techniques :
- Exploit Public-Facing Application (T1190) – Initial access via Cisco ASA firewall possibly exploited.
- Privilege Escalation: Exploitation of Vulnerability (T1068) – Abuse of CVE-2025-29824 in CLFS driver for kernel privilege escalation.
- System Information Discovery (T1082) – Using PowerShell cmdlets to enumerate Active Directory computers.
- Boot or Logon Autostart Execution (T1547) – DLL injection into winlogon.exe process for persistence.
- Create or Modify System Process (T1543) – Creating scheduled tasks for executing batch files under SYSTEM privileges.
- Credential Dumping (T1003) – Dumping SAM, SYSTEM, and SECURITY registry hives via batch files.
- Account Manipulation (T1098) – Creating a new user and adding it to the local administrators group.
- Indicator Removal on Host (T1070) – Use of cmdpostfix.bat to delete files and clear artifacts post-exploitation.
Indicator of Compromise :
- The article includes file hashes of malware components such as Grixba infostealer (gt_net.exe), the exploit payload (go.exe), and DLLs (clssrv.inf).
- Batch files (servtask.bat, cmdpostfix.bat) used in the attack can be identified by their hashes as well.
- Suspicious filenames masquerading as legitimate Palo Alto software executables and dynamic libraries (paloaltoconfig.exe/dll).
- Commands and artifacts created in C:ProgramDataSkyPDF and Music folders indicate compromise.
- Examples: SHA256 hash 6030c4381b8b5d5c5734341292316723a89f1bdbd2d10bb67c4d06b1242afd05b (Grixba infostealer), and 858efe4f9037e5efebadaaa70aa8ad096f7244c4c4aeade72c51ddad23d05bfe (exploit file go.exe).
Read more: https://www.security.com/threat-intelligence/play-ransomware-zero-day
Views: 98