cbcvebase.
CVE-2016-0167
published 2016-04-12

CVE-2016-0167: The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows…

PriorityP183high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
5.73%
92.1th percentile
The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability," a different vulnerability than CVE-2016-0143 and CVE-2016-0165.

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

processsvchost.exe (x86 instance, injected with Shifu main payload)
pathAppData folder (initial loader copy for persistence)
pathStartup folder (Jscript persistence file)
  • Detect Shifu infection check via Windows atom creation — the malware creates a named atom (with the same byte sequence as the mutex) to determine if the host is already infected, in addition to the mutex '{DAN6J0-ae000000d2000000e100}'.
  • Hunt for a Jscript (.js) file placed in the Windows Startup folder pointing to a loader binary copied into the AppData folder — this is Shifu's persistence mechanism.
  • Alert on C2 communications using Namecoin .bit top-level domains from svchost.exe processes — Shifu uses .bit TLDs for C&C with domain names and URL parameters encrypted via modified RC4.
  • The CVE-2016-0167 exploit embedded in Shifu's second stage injector contains both x86 and x64 variants with a custom PE loader shellcode appended as a PE overlay — scan for PE files with anomalous overlays executing kernel-mode privilege escalation.
  • FIN8 threat group is a known exploiter of CVE-2016-0167 for local privilege escalation — correlate privilege escalation events with FIN8 TTPs (spearphishing, PowerShell lateral movement, Invoke-Mimikatz credential harvesting).
  • The exploit was confirmed in-the-wild (Exploited:Yes per Microsoft MSRC) — prioritize detection of crafted applications triggering Windows Graphics Component memory mishandling leading to elevated process context.
  • ·Vawtrak was identified as the first malware known to use this CVE-2016-0167 exploit, with a compilation timestamp of November 2015 for the exploit and January 2016 for the Vawtrak sample itself — the exploit predates Shifu's use of it.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.