Need assistance in regards to possible zero-day printer nightmare exploit

%3CLINGO-SUB%20id%3D%22lingo-sub-2642983%22%20slang%3D%22en-US%22%3ENeed%20assistance%20in%20regards%20to%20possible%20zero-day%20printer%20nightmare%20exploit%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2642983%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20all%20aware%20of%20the%20printer%20nightmare%20exploit%20and%20the%20threat%20level.%20I%20believe%20I%20have%20found%20a%20windows%20system%20file%20that%20is%20undetected%20by%20every%20AV%20solution%20however%20is%20not%20signed%20by%20microsoft%20and%20shows%20over%20300%20indicators%20on%20virustotal.%20The%20file%20in%20question%20is%20the%20udhisapi.dll.%20After%20a%20forensic%20investigation%20into%20printer%20issues%2C%20I%20found%20that%20a%20local%20desktop%20was%20hosting%20this%20file%20for%20download%20as%20a%20server.%20After%20this%20I%20looked%20and%20found%2012%20different%20versions%20of%20this%20dll%20on%20my%20desktop%20and%2016%20versions%20on%20the%20front%20register%20(all%20of%20which%20had%20different%20locations%20and%20sizes).%20I%20took%20the%20largest%20of%20the%20files%20to%20virustotal%20and%20found%20this%20information.%20Our%20enterprise%20security%2C%20bitdefender%2C%20had%20reported%203%20printer%20nightmare%20exploits%20on%20our%20endpoints%2C%20which%20went%20up%20to%206%20total%20exploits%20within%20the%20first%20two%20hours%20of%20today.%20The%20file%20in%20question%20references%20the%20SOAP%20protocol%20and%20many%20blacklisted%20strings%20that%20are%20whitelisted%20once%20the%20file%20itself%20is%20executed.%20This%20is%20the%20reason%20behind%20my%20sfc%20scans%20and%20dism%20commands%20not%20properly%20remediating%20the%20issue.%20From%20what%20it%20seems%2C%20there%20is%20a%20MITM%20actor%20that%20intercepts%20the%20windows%20order%20for%20a%20print%2C%20through%20the%20spooler%20service%2C%20and%20drops%20a%20malicious%20file%20instead.%20I%20have%20had%20the%20MRT.exe%20remove%20two%20variants%20of%20windows%2032-bit%20ransomware%20(cerberus%20variant)%20in%20the%20past%20two%20days%2C%20found%20under%20the%20local%20microsoft%20edge%20cache%20(the%20browser%20which%20I%20print%20from).%20The%20link%20to%20the%20dll%20in%20question%20on%20virustotal%20is%20here%3A%3CA%20href%3D%22https%3A%2F%2Fwww.virustotal.com%2Fgui%2Ffile%2F6f2ec54de75cb421f464682068e2d32e27644b3a1f3d03f8b2295760e50523cb%2Fdetection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EVirusTotal%3C%2FA%3E%3CBR%20%2F%3EI%20will%20also%20include%20the%20file%20itself%20on%20this%20post%2C%20encrypted%20with%20password%3A%20malicious.%3CBR%20%2F%3EMy%20printer%20shows%20intermittent%20signs%20of%20this%20exploit%2C%20as%20well%20as%20being%20detected%20as%20affected%20by%20this%20exploit%2C%20regardless%20of%20it%20being%20updated%20daily.%20Signs%20would%20include%3A%20spooler%20showing%20one%20document%20pending%20with%20no%20document%20in%20the%20queue.%20Inability%20to%20properly%20disable%20the%20spooler%20service%20(before%20the%20ransomware%20removal)%20whether%20through%20powershell%20or%20windows%20services.%20Please%20offer%20any%20guidance%20on%20this%20issue%20as%20it%20is%20CURRENT.%20I%20also%20have%20other%20files%20that%20I%20believe%20to%20be%20related%20that%20I%20will%20submit%20if%20this%20issue%20catches%20traction.%20Thank%20you%20so%20much!%3CBR%20%2F%3EEdit%3A%20now%208%2F10%20endpoints%20are%20showing%20the%20printer%20nightmare%20exploit.%26nbsp%3B%3CBR%20%2F%3EEdit%202%3A%20Attached%20another%20file%2C%20the%20windows%20media%20creation%20tool%2C%20downloaded%20directly%20from%20microsoft%2C%20but%20showing%20blacklisted%20languages%20for%2C%20chinese%20traditional%2C%20and%20saudi%20arabia.%20As%20well%20related%20files%20seem%20to%20be%20malicious.%20Compiled%20in%201974%20according%20to%20PE%20information.%3C%2FP%3E%3CP%3EEdit%203%3A%20My%20security%20software%20is%20blocking%20connection%20to%20our%20POS%20server%2C%20citing%20data%20protection.%20Printer%20stopped%20working%20for%20about%20an%20hour%20but%20was%20able%20to%20get%20it%20back%20online%20for%20now.%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%204%3A%20Security%20software%20blocking%20credit%20card%20processing%20machine%2C%20running%20android%20OS%20I%20believe.%20Owner%20had%20me%20disable%20data%20protection%20module%20so%20they%20could%20process%20a%20transaction.%20Logged%20in%20my%20notes....%3C%2FP%3E%3CP%3EEdit%205%3A%209%2F10%20endpoints%20showing%20printer%20nightmare%20exploit.%3C%2FP%3E%3CP%3EEdit%206%3A%20Security%20support%20team%20from%20bitdefender%20said%20the%20files%20don't%20relate%20to%20the%20printer%20nightmare%20exploit%2C%20apologies%20if%20this%20was%20tagged%20incorrectly.%3C%2FP%3E%3CP%3EEdit%207%3A%20not%20at%20office%20today%2C%20just%20expanding%20contacted%20ips%2C%20referring%20files%20and%20communicating%20files%20(regarding%20the%20media%20creation%20tool)%20link%20to%20vt%20graph%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.virustotal.com%2Fgraph%2Fembed%2Fgf8aeac13b1b74d7d90f369b434226dc2a58e14b3bf604091a86b75007d19b49e%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.virustotal.com%2Fgraph%2Fembed%2Fgf8aeac13b1b74d7d90f369b434226dc2a58e14b3bf604091a86b75007d19b49e%3C%2FA%3E%3CBR%20%2F%3Enearly%20all%20files%20are%20new%20as%20of%20this%20year%20or%20last%20year.%3C%2FP%3E%3CP%3EEdit%208%3A%20Yes%20I%20am%20making%20the%20claim%20that%20the%20main%20windows%20media%20creation%20tool%20for%2021h1%20is%20backdoored%2C%20I%20understand%20the%20implications%20and%20how%20unlikely%20this%20is.%20Reddit%20classified%20this%20type%20of%20malware%20as%20%22polymorphic%20code%20with%20variable%20covert%20data%20exfiltration%22.%20I%20also%20have%20made%20a%20simplified%20graph%20on%20VT%20only%20containing%20the%20execution%20parents%2C%20and%20communicating%20files%20to%20contacted%20ips%20by%20the%20media%20creation%20tool.%20Link%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.virustotal.com%2Fgraph%2Fgac59b3c279394c019262f6fc7cb03e6eabaf85fa7cda48de87880b180c58826b%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.virustotal.com%2Fgraph%2Fgac59b3c279394c019262f6fc7cb03e6eabaf85fa7cda48de87880b180c58826b%3C%2FA%3E%3CBR%20%2F%3EEdit%209%3A%20Here%20is%20the%20link%20to%20an%20analysis%20of%20the%20original%20officesetup.exe%20that%20started%20my%20investigation%203%20months%20ago%20%3A%3CA%20href%3D%22https%3A%2F%2Fanalyze.intezer.com%2Fanalyses%2Fbe1706a9-f94f-4e34-8c55-706cbaf9ecc2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ETrusted%20application%20OfficeSetup.exe%20-%20Intezer%3C%2FA%3E%3CBR%20%2F%3Ethe%20strings%20referenced%20that%20concern%20me%20are%20the%20%22admin%20tools%22%3A%20Teamviewer%2C%20monero%2C%20wireshark%2C%20bitcoin%2C%20injectproc%2C%20driver%20toolkit%2C%20and%20others.%20More%20malicious%20files%20being%20detected%20by%20msert.exe%20today.%20I%20will%20upload%20the%20office%20setup%20file%20here%20as%20well%20password%3A%20malicious.%3CBR%20%2F%3EEdit%2010%3A%20As%20well%20the%20MITRE%20shows%20a%20unix%20command%2Fscripting%20interpreter%20utilized%20and%20references%20a%20command%20and%20control%20server.%3CBR%20%2F%3EEdit%2011%3A%20Suspicious%20program%20connecting%20through%20firewall%2C%20according%20to%20bitdefender.%20Uploading%20with%20password%3A%20malicious%3CBR%20%2F%3Ealso%20will%20run%20a%20dynamic%20sandbox%20report.%3CBR%20%2F%3EEdit%2012%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fanalyze.intezer.com%2Fanalyses%2Fb9172ae7-26cc-45db-9dc1-183297ded4db%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EWildTangentHelperService.exe%20Suspicious%20File%20-%20Intezer%3C%2FA%3E%3CBR%20%2F%3EEdit%2013%20%3A%20Msert%20found%20over%2020%20infected%20files%2C%20but%20did%20not%20remove%20or%20list%20any.%20I%20have%20seen%20this%20before%20and%20know%20it%20can%20be%20normal.%20Given%20my%20situation%20I%20have%20suspicions%20however.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2642983%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDLL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExploit%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrinter%20Nightmare%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ezero%20day%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

We are all aware of the printer nightmare exploit and the threat level. I believe I have found a windows system file that is undetected by every AV solution however is not signed by microsoft and shows over 300 indicators on virustotal. The file in question is the udhisapi.dll. After a forensic investigation into printer issues, I found that a local desktop was hosting this file for download as a server. After this I looked and found 12 different versions of this dll on my desktop and 16 versions on the front register (all of which had different locations and sizes). I took the largest of the files to virustotal and found this information. Our enterprise security, bitdefender, had reported 3 printer nightmare exploits on our endpoints, which went up to 6 total exploits within the first two hours of today. The file in question references the SOAP protocol and many blacklisted strings that are whitelisted once the file itself is executed. This is the reason behind my sfc scans and dism commands not properly remediating the issue. From what it seems, there is a MITM actor that intercepts the windows order for a print, through the spooler service, and drops a malicious file instead. I have had the MRT.exe remove two variants of windows 32-bit ransomware (cerberus variant) in the past two days, found under the local microsoft edge cache (the browser which I print from). The link to the dll in question on virustotal is here:VirusTotal
I will also include the file itself on this post, encrypted with password: malicious.
My printer shows intermittent signs of this exploit, as well as being detected as affected by this exploit, regardless of it being updated daily. Signs would include: spooler showing one document pending with no document in the queue. Inability to properly disable the spooler service (before the ransomware removal) whether through powershell or windows services. Please offer any guidance on this issue as it is CURRENT. I also have other files that I believe to be related that I will submit if this issue catches traction. Thank you so much!
Edit: now 8/10 endpoints are showing the printer nightmare exploit. 
Edit 2: Attached another file, the windows media creation tool, downloaded directly from microsoft, but showing blacklisted languages for, chinese traditional, and saudi arabia. As well related files seem to be malicious. Compiled in 1974 according to PE information.

Edit 3: My security software is blocking connection to our POS server, citing data protection. Printer stopped working for about an hour but was able to get it back online for now. 

Edit 4: Security software blocking credit card processing machine, running android OS I believe. Owner had me disable data protection module so they could process a transaction. Logged in my notes....

Edit 5: 9/10 endpoints showing printer nightmare exploit.

Edit 6: Security support team from bitdefender said the files don't relate to the printer nightmare exploit, apologies if this was tagged incorrectly.

Edit 7: not at office today, just expanding contacted ips, referring files and communicating files (regarding the media creation tool) link to vt graph: https://www.virustotal.com/graph/embed/gf8aeac13b1b74d7d90f369b434226dc2a58e14b3bf604091a86b75007d19...
nearly all files are new as of this year or last year.

Edit 8: Yes I am making the claim that the main windows media creation tool for 21h1 is backdoored, I understand the implications and how unlikely this is. Reddit classified this type of malware as "polymorphic code with variable covert data exfiltration". I also have made a simplified graph on VT only containing the execution parents, and communicating files to contacted ips by the media creation tool. Link: https://www.virustotal.com/graph/gac59b3c279394c019262f6fc7cb03e6eabaf85fa7cda48de87880b180c58826b
Edit 9: Here is the link to an analysis of the original officesetup.exe that started my investigation 3 months ago :Trusted application OfficeSetup.exe - Intezer
the strings referenced that concern me are the "admin tools": Teamviewer, monero, wireshark, bitcoin, injectproc, driver toolkit, and others. More malicious files being detected by msert.exe today. I will upload the office setup file here as well password: malicious.
Edit 10: As well the MITRE shows a unix command/scripting interpreter utilized and references a command and control server.
Edit 11: Suspicious program connecting through firewall, according to bitdefender. Uploading with password: malicious
also will run a dynamic sandbox report.
Edit 12: WildTangentHelperService.exe Suspicious File - Intezer
Edit 13 : Msert found over 20 infected files, but did not remove or list any. I have seen this before and know it can be normal. Given my situation I have suspicions however.
Edit 14: Home system seems to be infected still by whatever form of malware this is. Uploading more files that were dropped as a windows upgrade and scan clean, my explorer (windows ui) is crashing randomly and restarting. Password malicious, removed wildtangentservice, as it is not windows related I believe.

0 Replies