{"id":58447,"date":"2025-04-08T18:00:00","date_gmt":"2025-04-08T18:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/exploitation-of-clfs-zero-day-leads-to-ransomware-activity\/"},"modified":"2025-04-08T18:00:00","modified_gmt":"2025-04-08T18:00:00","slug":"exploitation-of-clfs-zero-day-leads-to-ransomware-activity","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/exploitation-of-clfs-zero-day-leads-to-ransomware-activity\/","title":{"rendered":"Exploitation of CLFS zero-day leads to ransomware activity"},"content":{"rendered":"
<\/div>\n

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft released security updates to address the vulnerability, tracked as CVE-2025-29824<\/a>, on April 8, 2025.<\/p>\n

In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware. Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access. They then use privileged access for widespread deployment and detonation of ransomware within an environment. Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold.<\/p>\n

This blog details Microsoft\u2019s analysis of the observed CLFS exploit and related activity targeting our customers. This information is shared with our customers and industry partners to improve detection of these attacks and encourage rapid patching or other mitigations, as appropriate. A more comprehensive recommendations section, with indicators of compromise and detection details can be found at the end of the blog post.<\/p>\n

CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS)<\/h2>\n

The exploit activity discovered by Microsoft targets a zero-day vulnerability in the Common Log File System (CLFS) kernel driver. Successful exploitation allows an attacker running as a standard user account to escalate privileges. The vulnerability is tracked as CVE-2025-29824<\/a> and was fixed on April 8, 2025.<\/p>\n

Pre-exploitation activity<\/h3>\n

While Microsoft hasn\u2019t determined the initial access vectors that led to the devices being compromised, there are some notable pre-exploitation behaviors by Storm-2460. In multiple cases, the threat actor used the certutil utility to download a file from a legitimate third-party website that was previously compromised to host the threat actor\u2019s malware.<\/p>\n

The downloaded file was a malicious MSBuild file, a technique described here<\/a>, that carried an encrypted malware payload. Once the payload was decrypted and executed via the EnumCalendarInfoA<\/em> API callback, the malware was found to be PipeMagic,<\/a> which Kaspersky documented in October 2024. <\/em>Researchers at ESET have also observed<\/a> the use of PipeMagic in 2023 in connection with the deployment of a zero-day exploit for a Win32k vulnerability assigned CVE-2025-24983<\/a>. A domain used by the PipeMagic sample was aaaaabbbbbbb.eastus.cloudapp.azure[.]com, <\/em>which has now been disabled by Microsoft.<\/p>\n

CLFS exploit activity<\/h3>\n

Following PipeMagic deployment, the attackers launched the CLFS exploit in memory from a dllhost.exe <\/em>process.<\/p>\n

The exploit targets a vulnerability in the CLFS kernel driver. It\u2019s notable that the exploit first uses the NtQuerySystemInformation <\/em>API to leak kernel addresses to user mode. However, beginning in Windows 11, version 24H2, access to certain System Information Classes within NtQuerySystemInformation <\/em>became available only to users with SeDebugPrivilege<\/em>, which typically only admin-like users can obtain. This meant that the exploit did not work on Windows 11, version 24H2, even if the vulnerability was present.<\/p>\n

The exploit then utilizes a memory corruption and the RtlSetAllBits <\/em>API to overwrite the exploit process\u2019s token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes.<\/p>\n

As part of the exploitation, a CLFS BLF file with the following path is created by the exploit\u2019s dllhost.exe<\/em> process: C:\\ProgramData\\SkyPDF\\PDUDrv.blf<\/em>. <\/p>\n

Post-exploitation activity leads to ransomware activity<\/h3>\n

Upon successful exploitation, a payload is injected into winlogon.exe. <\/em>This payload then injected the Sysinternals procdump.exe<\/em><\/a> tool into another dllhost.exe <\/em>and ran it with the following command line:<\/p>\n

\n
\nC:\\Windows\\system32\\dllhost.exe -accepteula -r -ma lsass.exe c:\\programdata\\[random letters].\n<\/pre>\n<\/div>\n
Having done this, the actor was able to dump the memory of LSASS and parse it to obtain user credentials.<\/p>\n
Then, Microsoft observed ransomware activity on target systems. Files were encrypted and a random extension added, and a ransom note with the name !_READ_ME_REXX2_!.txt<\/em> was dropped. Microsoft is tracking activity associated with this ransomware as Storm-2460.<\/p>\n
Although we weren\u2019t able to obtain a sample of ransomware for analysis, we\u2019re including some notable events surrounding the activity to better help defenders:<\/p>\n