Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

NSA-Linked Implant Patched to Work on Windows Embedded

DoublePulsar, one of the hacking tools the Shadow Brokers supposedly stole from the National Security Agency (NSA)-linked Equation Group, can now run on Windows Embedded devices.

DoublePulsar, one of the hacking tools the Shadow Brokers supposedly stole from the National Security Agency (NSA)-linked Equation Group, can now run on Windows Embedded devices.

The backdoor was released publicly in April last year along with a variety of Windows exploits that Microsoft had patched the month before. It is a sophisticated, multi-architecture SMB (Server Message Block) backdoor that can stay well hidden on infected machines.

In addition to SMB, it is also used as the primary payload in RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software (an exploitation framework that resembles Rapid7’s Metasploit).

As it turns out, although it would work on a wide range of Windows releases, DoublePulsar wouldn’t work on devices running a Windows Embedded operating system, even if the platform itself is vulnerable to the NSA-linked exploits, a security researcher who uses the online handler of Capt. Meelo says.

Windows Embedded, the researcher discovered, was indeed vulnerable to the exploits, but the relevant Metasploit modules wouldn’t work on it. Using FuzzBunch, however, he verified that the target device was indeed vulnerable via the EternalBlue exploit.

While exploitation via the EternalBlue module and the result were successful, the installation of DoublePulsar failed, so the researcher decided to analyze the implant to discover why.

What he found was that one simple line of code was enough to make it work on Windows Embedded.

DoublePulsar was designed to check the Windows version on the target machine and take one installation path on Windows 7 or another (and perform other OS checks) on other platform iterations. However, there was no check for Windows Embedded, which generated an error message.

By simply modifying an instruction in the “Windows 7 OS Check,” the researcher was able to force the implant into taking that specific installation path.

“To do this, I went to Edit > Patch program > Change byte. Then I changed the value 74 (opcode of JZ) to 75 (opcode of JNZ). I then created a DIF file by going to File > Produce file > Create DIF file,” Capt. Meelo explains.

Using a script from a security enthusiast who calls himself StalkR, he then patched the modified .exe file and then moved the modified Doublepulsar-1.3.1.exe back to its original location. This resulted in a successful injection of the generated DLL payload to the target host.

Related: One Year After WannaCry Outbreak, EternalBlue Exploit Still a Threat

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.