NSA Exploit EternalBlue is becoming even common in hacking tools and malware

Pierluigi Paganini June 03, 2017

Security Experts are observing a significant increase in the number of malware and hacking tools leveraging the ETERNALBLUE NSA exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack.

ETERNALBLUE targets the SMBv1 protocol and it has become widely adopted in the community of malware developers.

Investigations on WannaCry revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit.

The UIWIX ransomware was one of the first threats discovered in the wild that was leveraging the NSA exploit for its attacks.

Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution.

UIWIX is a fileless malware discovered by experts at Heimdal Security early this week while investigating on WannaCry.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

Researchers from Proofpoint discovered ETERNALBLUE deployed with the Adylkuzz botnet that was spreading cryptocurrency miners, malware experts from Cyphort reported ETERNALBLUE was deployed with various RATs used by Chinese threat actors, and malware researchers at Secdo ETERNALBLUE found the exploit was used to deliver a datastealer developed by Russian hackers and by botnet in China.

Security firm Forcepoint found ETERNALBLUE deployed with various RATs.

“A number of Remote Access Tools have been identified using the EternalBlue exploit to spread. While the use of EternalBlue is common to all of the samples identified, the way the exploit is used varies with some samples (e.g. EternalRocks) taking the form of aggressively self-propagating worms, and others using a centralised scanning and distribution infrastructure similar to UIWIX and Adylkuzz.” reads the analysis published by Forcepoint.

The security researcher Miroslav Stampar found the ETERNALBLUE deployed with six other NSA hacking tools, part of the EternalRocks SMB worm.

Last discovery in order of time was made by experts from FireEye who observed threat actors using the exploit code to deliver non-WannaCry payloads, including the Gh0st RAT and the Backdoor Nitol.

“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” reads the FireEye report.

EternalBlue SMB exploit.png

Gh0st RAT is a Windows malware that has been used in many espionage campaigns powered by nation-state actors.

“The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server,” FireEye researchers wrote.

Threat actors used the same EternalBlue and VBScript combination to distribute Gh0st RAT in Singapore and Backdoor.Nitol in the South Asia region, attackers are sending specially crafted messages to a Microsoft SMBv1 server.

“The attacker echoes instructions into a new ‘1.vbs’ file to be executed later.  These instructions fetch the  payload ‘taskmgr.exe’ from another server in a synchronous call.  This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream,” researchers said.

The EternalBlue exploit was also added to Metasploit making easy for attackers to exploit the flaw.

“The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” states the post.

“While developed with good intentions, the framework’s exploit modules are often plundered by malware developers, who use them as the base for developing malware.” wrote  bleepingcomputer.com.

To neutralize the threat, it is essential to install MS17-010 security updates.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Patriotic hackers, President Putin)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment