NSA Exploit EternalBlue is becoming even common in hacking tools and malware

June 3, 2017  By Pierluigi Paganini


Security Experts are observing a significant increase in the number of malware and hacking tools leveraging the ETERNALBLUE NSA exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack.

ETERNALBLUE targets the SMBv1 protocol and it has become widely adopted in the community of malware developers.

Investigations on WannaCry revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit.

The UIWIX ransomware was one of the first threats discovered in the wild that was leveraging the NSA exploit for its attacks.

Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution.

UIWIX is a fileless malware discovered by experts at Heimdal Security early this week while investigating on WannaCry.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

Researchers from Proofpoint discovered ETERNALBLUE deployed with the Adylkuzz botnet that was spreading cryptocurrency miners, malware experts from Cyphort reported ETERNALBLUE was deployed with various RATs used by Chinese threat actors, and malware researchers at Secdo ETERNALBLUE found the exploit was used to deliver a datastealer developed by Russian hackers and by botnet in China.

Security firm Forcepoint found ETERNALBLUE deployed with various RATs.

“A number of Remote Access Tools have been identified using the EternalBlue exploit to spread. While the use of EternalBlue is common to all of the samples identified, the way the exploit is used varies with some samples (e.g. EternalRocks) taking the form of aggressively self-propagating worms, and others using a centralised scanning and distribution infrastructure similar to UIWIX and Adylkuzz.” reads the analysis published by Forcepoint.

The security researcher Miroslav Stampar found the ETERNALBLUE deployed with six other NSA hacking tools, part of the EternalRocks SMB worm.

Last discovery in order of time was made by experts from FireEye who observed threat actors using the exploit code to deliver non-WannaCry payloads, including the Gh0st RAT and the Backdoor Nitol.

“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” reads the FireEye report.

EternalBlue SMB exploit.png

Gh0st RAT is a Windows malware that has been used in many espionage campaigns powered by nation-state actors.

“The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server,” FireEye researchers wrote.

Threat actors used the same EternalBlue and VBScript combination to distribute Gh0st RAT in Singapore and Backdoor.Nitol in the South Asia region, attackers are sending specially crafted messages to a Microsoft SMBv1 server.

“The attacker echoes instructions into a new ‘1.vbs’ file to be executed later.  These instructions fetch the  payload ‘taskmgr.exe’ from another server in a synchronous call.  This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream,” researchers said.

The EternalBlue exploit was also added to Metasploit making easy for attackers to exploit the flaw.

“The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” states the post.

“While developed with good intentions, the framework’s exploit modules are often plundered by malware developers, who use them as the base for developing malware.” wrote  bleepingcomputer.com.

To neutralize the threat, it is essential to install MS17-010 security updates.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Patriotic hackers, President Putin)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Unsecure Hadoop Distributed File System installs 5 PB of Data

 According to Shodan search, unprotected Hadoop Distributed File System installations expose 5 PB of data. Hadoop servers...