Threat Spotlight: EternalBlue Exploit Breeds EternalRocks Malware


In mid-April, a group that identified themselves as “The Shadow Brokers” disclosed an archive of exploits, backdoors, and other hacking tools supposedly affiliated with an advanced persistent threat actor called “The Equation Group.”

The Equation Group is generally agreed to be a pseudonym for a highly sophisticated nation-state actor with access to substantial resources. Though there are a number of articles speculating on the actual source of the tools contained within the archive, it is not necessary to attribute them to any particular actor in order to see their ramifications and build defenses to block their threats.  

Included in the archive were exploits that allowed the execution of arbitrary code on remote systems, often targeting common ports open by default on most versions of Windows. Foremost among these is the now infamous “EternalBlue” exploit that targeted open server message block (SMB) ports and was used to great effect in the recent WannaCry ransomware attack. It was also speculated to have been used to spread the Adylkuzz crypto-currency miner.

Attacks leveraging the EternalBlue exploit generally follow this pattern:

  1. A vulnerable system with an open, unpatched port is identified.
  2. EternalBlue (or another exploit) is used to achieve remote code execution.
  3. The DoublePulsar backdoor is uploaded. This allows remote control of the infected system and the upload of an additional payload.
  4. An arbitrary payload is injected into the target system’s memory using the DoublePulsar backdoor. In the case of WannaCry, this payload was ransomware, but it could potentially be any payload, including malware that does a much more effective job at hiding on a system.
  5. In the case of WannaCry, the payload also contained code that attempted to spread additional infections with the EternalBlue/DoublePulsar attack chain. This effectively made WannaCry a worm, a kind of malware that could (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: