Researchers have developed a new technique to “fingerprint” cybercriminals, including two prolific sellers of Windows exploits.
On Friday, researchers from Check Point said the “fingerprinting” technique has been used to link Windows local privilege escalation (LPE) exploits to two different authors, believed to have sold their creations previously to Russian advanced persistent threat (APT) groups as well as other clients.
In a blog post, the cybersecurity firm said that the technique was developed off the back of a customer response incident, in which a small 64-bit executable was found during an attack.
After analyzing the file, the team found unusual debug strings that pointed to an attempt to exploit a vulnerability on one of the target machines. The file contained a leftover PDB path — “…cve-2019-0859x64ReleaseCmdTest.pdb” — which indicated the use of a real-world exploit tool.
Digging further, Check Point decided to try and “fingerprint” unique identifiers recognizable as