Engineering:DoublePulsar

From HandWiki
Short description: Backdoor implant tool


Pulsar Vulnerability
Technical name
  • Double Variant
    • Trojan:Win32/DoublePulsar (Microsoft)
    • Backdoor.DoublePulsar (Fortiguard)
  • Dark Variant
FamilyPulsar (backdoor family)
Author(s)Equation Group

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.[3][citation needed] The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,[4][5][3][6][7] and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.[8][9][10] A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.[11]

Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.[12][13] He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system.[5] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.[12]

References

  1. "Trojan.Darkpulsar" (in en). https://www.symantec.com/security-center/writeup/2017-042107-1152-99. 
  2. "Win32/Equation.DarkPulsar.A | ESET Virusradar". https://www.virusradar.com/en/Win32_Equation.DarkPulsar.A/description. 
  3. 3.0 3.1 "DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump". 25 April 2017. https://www.scmagazine.com/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/article/652518/. 
  4. Sterling, Bruce. "Double Pulsar NSA leaked hacks in the wild". Wired. https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/. 
  5. 5.0 5.1 "Seriously, Beware the 'Shadow Brokers'". Bloomberg. 4 May 2017. https://www.bloomberg.com/news/articles/2017-05-04/seriously-beware-the-shadow-brokers. 
  6. "Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage". https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/. 
  7. ">10,000 Windows computers may be infected by advanced NSA backdoor". 21 April 2017. https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/. 
  8. Cameron, Dell (13 May 2017). "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It". https://www.gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/. 
  9. Fox-Brewster, Thomas. "How One Simple Trick Just Put Out That Huge Ransomware Fire". https://www.forbes.com/sites/thomasbrewster/2017/05/13/wannacry-ransomware-outbreak-stopped-by-researcher/#38e56ad374fc. 
  10. "Player 3 Has Entered the Game: Say Hello to 'WannaCry'". 12 May 2017. http://blog.talosintelligence.com/2017/05/wannacry.html. 
  11. "Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak". 7 May 2019. https://arstechnica.com/information-technology/2019/05/stolen-nsa-hacking-tools-were-used-in-the-wild-14-months-before-shadow-brokers-leak/. 
  12. 12.0 12.1 "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". 21 April 2017. https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html. 
  13. "NSA's DoublePulsar Kernel Exploit In Use Internet-Wide". https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/.