In March 2025, cybersecurity researchers identified a sophisticated cyberattack campaign orchestrated by a Russian hacking group known as Water Gamayun, also referred to as EncryptHub and LARVA-208. This group exploited a critical vulnerability in the Microsoft Management Console (MMC), designated as CVE-2025-26633, to deploy two new backdoors named SilentPrism and DarkWisp.
Understanding CVE-2025-26633
CVE-2025-26633 is a security flaw within the MMC framework, a vital component in Windows operating systems that provides a unified interface for system management. This vulnerability arises from improper neutralization of specific inputs, allowing attackers to bypass security mechanisms and execute arbitrary code. The flaw is particularly concerning due to its potential to grant unauthorized access and control over affected systems.
Exploitation Techniques
Water Gamayun’s exploitation of CVE-2025-26633 involved several sophisticated techniques:
1. Malicious Provisioning Packages (.ppkg): These packages, typically used for configuring Windows devices, were manipulated to include malicious scripts that, when executed, initiated the infection chain.
2. Signed Microsoft Windows Installer Files (.msi): The attackers crafted .msi files that appeared legitimate, often masquerading as popular messaging and meeting applications like DingTalk, QQTalk, and VooV Meeting. These installers executed PowerShell scripts to download and run additional malicious payloads.
3. Microsoft Console Files (.msc): By exploiting the MMC vulnerability, the attackers used rogue .msc files to execute malware, effectively bypassing standard security protocols.
Deployment of SilentPrism and DarkWisp
The primary payloads delivered through these methods were two PowerShell-based backdoors:
– SilentPrism: This implant establishes persistence on the infected system, allowing the attackers to execute multiple shell commands simultaneously and maintain remote control. It incorporates anti-analysis techniques to evade detection, making it particularly stealthy.
– DarkWisp: This backdoor focuses on system reconnaissance and data exfiltration. It collects detailed system information, including antivirus software details, installed applications, network configurations, and running processes. DarkWisp also extracts sensitive data such as Wi-Fi passwords, Windows product keys, clipboard history, and browser credentials.
Command and Control Mechanism
Both backdoors communicate with the attackers’ command and control (C&C) servers over TCP port 8080. They await commands in the format `COMMAND|
Additional Payloads and Tools
In addition to SilentPrism and DarkWisp, Water Gamayun deployed other malicious tools:
– MSC EvilTwin Loader: This loader exploits CVE-2025-26633 to execute malicious .msc files, leading to the deployment of the Rhadamanthys Stealer. It also performs system cleanup to avoid leaving forensic evidence.
– Rhadamanthys Stealer: A commodity stealer designed to extract sensitive information from infected systems.
– StealC: Another information stealer used by the attackers to gather credentials and other valuable data.
– EncryptHub Stealer Variants A, B, and C: Custom PowerShell-based stealers capable of collecting extensive system information and sensitive data.
Mitigation Measures
To protect against such sophisticated attacks, organizations should implement the following measures:
1. Apply Security Updates: Ensure all systems are updated with the latest security patches, particularly those addressing CVE-2025-26633.
2. Restrict Execution of Untrusted Files: Configure Group Policy settings to prevent the execution of untrusted .msc and .msi files.
3. Educate Users: Train employees to recognize phishing attempts and avoid opening attachments or downloading files from unknown sources.
4. Deploy Endpoint Protection: Utilize advanced endpoint detection and response (EDR) solutions to identify and block malicious activities.
5. Monitor Network Traffic: Regularly monitor network traffic for unusual activities, such as unexpected communications over TCP port 8080.
6. Implement Least Privilege Access: Ensure users operate with the minimum necessary privileges to reduce the potential impact of a successful attack.
Conclusion
The exploitation of CVE-2025-26633 by Water Gamayun underscores the evolving sophistication of cyber threats. By leveraging legitimate system components and employing advanced evasion techniques, attackers can infiltrate systems and maintain prolonged access. Organizations must remain vigilant, promptly apply security patches, and adopt comprehensive security practices to defend against such threats.
