Threat Spotlight: The Shadow Brokers and EternalPulsar Malware


On 14 April 2017, the “Lost in Translation” leak was announced by The Shadow Brokers group, providing a link to an archive containing a plethora of exploits and hacking tools developed by the NSA and subsequently stolen. While some began incorporating the exploits in their malware, it wasn’t until May 2017 that the first in-the-wild samples were observed spreading.

The WannaCry ransomware affected many thousands of devices by leveraging EternalBlue, an Server Message Block (SMB) exploit that provides remote code execution capabilities, in this instance utilized to provide worm propagation capabilities.

More recently, Petya-like was seen to use a similar methodology, incorporating EternalRomance alongside EternalBlue to worm across networks. In addition, the BitCoin miner Adylkuzz contained an embedded EternalBlue implementation, and pen-testing tools such as Metasploit were swiftly updated to include support for the SMB exploits.

In our previous blog posts we described the EternalRocks malware that combined all the Eternal exploits. We also analyzed the implementation of EternalBlue used by WannaCry ransomware and Petya-like.

In this article, we will outline all the SMB exploits leaked by “The Shadow Brokers” (EternalBlue/EternalRomance/EternalSynergy/EternalChampion), focusing on the shellcode they use and the DoublePulsar backdoor that is installed by each of the exploits for remotely executing an arbitrary payload DLL.


At the core, this centers around SMB exploits which will allow arbitrary remote code execution on a victim machine. This, by extension, could allow an attacker visibility into potentially sensitive information about the machine itself, its users or its surrounding network environment. That’s bad for the user and the Holy Grail for any attacker.

The leaked exploits have proven an unmitigated success among malware authors. In the few months since the leak, malware has been reported to spread in worm-like fashion either by embedding their own implementation of the exploits or (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog