Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Hackers Are Using NSA’s DoublePulsar Backdoor in Attacks

A hacking tool allegedly used by the NSA-linked threat actor “Equation Group” that was exposed to the public roughly a week ago has been already observed in live attacks.

A hacking tool allegedly used by the NSA-linked threat actor “Equation Group” that was exposed to the public roughly a week ago has been already observed in live attacks.

Dubbed DoublePulsar, the backdoor was released by the Shadow Brokers hacker group on Friday before the Easter holiday, as part of a password-protected archive containing a larger set of tools and exploits. Last week Microsoft said that the newly revealed exploits don’t affect up-to-date systems.

DoublePulsar is the primary payload in SMB (Server Message Block) and RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software, an exploitation framework similar to Metasploit, penetration tester zerosum0x0 explains.

This sophisticated, multi-architecture SMB backdoor can hide on a system and avoid alerting built-in defenses. An attacker could infect a system and return to it after a desired period of time to perform more intrusive actions.

MWR InfoSecurity’s Countercept group also notes that DoublePulsar appears to be a very stealthy kernel-mode payload, while also revealing that it is dropped by default by many exploits. The backdoor, they say, can be used to inject arbitrary DLLs into user land processes.

Following in-depth analysis, Countercept discovered that the malware would enumerate processes to find the suitable one for injecting the user land DLL and execute code. They also discovered that the payload would wipe memory for evasion, though parts of the code would remain unwiped, it seems.

The firm also decided to build a script to detect the presence of both SMB and RDP versions of the DoublePulsar implant, so as to help people find compromises in their networks. “It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not,” they explain.

On April 18, after using the masscan tool developed by @ErrataRob to find 5,502,460 unique hosts with an open port 445 (SMB port), Below0Day used Countercept’s detection script to detect 30,626 hosts with DoublePulsar SMB implant. On April 21, the same scan revealed 5,190,506 exposed hosts and 56,586 infections, most of which were located in the United States.

This shows that the exploit is actively used in infection campaigns, and the number of compromised hosts appears to be growing fast, most probably as more actors are starting using the implant in their assaults.

Related: Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched

Related: Shadow Brokers Release More NSA Exploits

Related: Shadow Brokers “Retire” Awaiting Offer of 10,000 Bitcoins for Cache of Exploits

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.

Malware & Threats

Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free.