A hacking tool allegedly used by the NSA-linked threat actor “Equation Group” that was exposed to the public roughly a week ago has been already observed in live attacks.
Dubbed DoublePulsar, the backdoor was released by the Shadow Brokers hacker group on Friday before the Easter holiday, as part of a password-protected archive containing a larger set of tools and exploits. Last week Microsoft said that the newly revealed exploits don’t affect up-to-date systems.
DoublePulsar is the primary payload in SMB (Server Message Block) and RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software, an exploitation framework similar to Metasploit, penetration tester zerosum0x0 explains.
This sophisticated, multi-architecture SMB backdoor can hide on a system and avoid alerting built-in defenses. An attacker could infect a system and return to it after a desired period of time to perform more intrusive actions.
MWR InfoSecurity’s Countercept group also notes that DoublePulsar appears to be a very stealthy kernel-mode payload, while also revealing that it is dropped by default by many exploits. The backdoor, they say, can be used to inject arbitrary DLLs into user land processes.
Following in-depth analysis, Countercept discovered that the malware would enumerate processes to find the suitable one for injecting the user land DLL and execute code. They also discovered that the payload would wipe memory for evasion, though parts of the code would remain unwiped, it seems.
The firm also decided to build a script to detect the presence of both SMB and RDP versions of the DoublePulsar implant, so as to help people find compromises in their networks. “It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not,” they explain.
On April 18, after using the masscan tool developed by @ErrataRob to find 5,502,460 unique hosts with an open port 445 (SMB port), Below0Day used Countercept’s detection script to detect 30,626 hosts with DoublePulsar SMB implant. On April 21, the same scan revealed 5,190,506 exposed hosts and 56,586 infections, most of which were located in the United States.
This shows that the exploit is actively used in infection campaigns, and the number of compromised hosts appears to be growing fast, most probably as more actors are starting using the implant in their assaults.