Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

NSA-Linked ‘DarkPulsar’ Exploit Tool Detailed

Kaspersky Lab security researchers have analyzed another exploit tool that was supposedly stolen from the National Security Agency-linked Equation Group.

Kaspersky Lab security researchers have analyzed another exploit tool that was supposedly stolen from the National Security Agency-linked Equation Group.

Dubbed DarkPulsar, the tool is an administrative plugin, part of the NSA-linked exploits that the Shadow Brokers group made public in March 2017, specifically the DanderSpritz and FuzzBunch frameworks.

Part of FuzzBunch’s ImplantConfig category, which includes plugins for the post-exploitation stage, DarkPulsar was designed for controlling a passive backdoor named ‘sipauth32.tsp’, which provides remote control of compromised machines.

The DarkPulsar module includes support for a variety of commands, including Burn, RawShellcode, UpgradeImplant, and PingPong, which are meant to remove the implant, run arbitrary code, upgrade the implant, and check if the backdoor is installed on a remote machine, respectively. Other supported commands are EDFStagedUpload, DisableSecurity, and EnableSecurity.

Kaspersky Lab has determined that the DarkPulsar backdoor, which targets both 32-bit and 64-bit systems, was used on 50 victims located in Russia, Iran and Egypt, and that it typically infected machines running Windows Server 2003/2008. The victims are in the nuclear energy, telecommunications, IT, aerospace and R&D sectors.

The security researchers believe that the victims were the targets of a long-term espionage campaign. The backdoor not only includes an advanced mechanism of persistence, but also functionality to bypass the need to enter a valid username and password during authentication. It also encapsulates its traffic into legitimate protocols.

The infection campaign is believed to have stopped after the exploits were made public, but the backdoor likely remained on some of the compromised machines. The malware, however, can only be used by the real DarkPulsar managers, as it requires the private RSA key which pairs to the public key embedded in the backdoor.

“We found around 50 victims, but believe that the figure was much higher when the Fuzzbunch and DanderSpritz frameworks were actively used. We think so because of the DanderSpritz interface, which allows many victims to be managed at the same time,” Kaspersky Lab says.

Advertisement. Scroll to continue reading.

The DarkPulsar administrative interface functions under the principle of “one command – one launch” and is a plugin of the FuzzBunch framework, which was designed to manage parameters and coordinate different components.

The researchers note that the framework for controlling infected machines is, in fact, DanderSpritz, which uses a plugin called PeedleCheap to configure implants and connect to infected machines to enable post-exploitation features.

Through DarkPulsar, a strong connection between DanderSpritz and FuzzBunch emerges. The backdoor is used to deploy the more functional PeddleCheap implant onto the victim machines, via PCDllLauncher, which apparently stands for ‘PeddleCheap DLL Launcher’.

Thus, the researchers concluded that FuzzBunch and DanderSpritz are designed not only to be flexible, but also to extend functionality and compatibility with other tools.

“Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims,” Kaspersky concludes.

Related: One Year After WannaCry Outbreak, EternalBlue Exploit Still a Threat

Related: Event Logs Manipulated With NSA Hacking Tool Recoverable

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...