The now-infamous EternalBlue exploit deployed in the WannaCry ransomware outbreak and in the distribution of the Adylkuzz miner is now being used to deliver the Nitol backdoor and Gh0st RAT. Both threats have been around for several years and are once again included in malicious operations.
The SMB Flaw from WannaCry and Adylkuzz Campaigns Deployed Once Again
FireEye researchers say that the criminals behind this campaign are once again using the very same SMB flaw (MS017-010) that was leveraged for the distribution of WannaCry.
“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” FireEye researchers recently shared.
More about Gh0st RAT
As already mentioned, the RAT has been deployed in various malicious operations for many years. Interestingly, its primary use is as a nation-state tool for APT attacks against government agencies and politically-engaged targets. Gh0st RAT was also one of the backdoors searched for by Malware Hunter, the “specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets”.
More about Backdoor.Nitol
Nitol, or Backdoor.Nitol has been part of operations built upon a remote code execution flaw using the ADODB.Stream ActiveX Object affecting older versions of Internet Explorer, FireEye researchers say. Interestingly, both Nitol and Gh0st have been distributed via the CVE-2014-6332 vulnerability and in spam campaigns targeting PowerShell commands.
The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.
Gh0st RAT Sample Signed with Stolen Certificate
According to researchers, the combination of EternalBlue and VBScript has been spreading Nitol in Singapore and Nitol in South Asia. Also, the samples acquired by FireEye were signed with a common digital certificate which is most likely stolen:
The Gh0St RAT sample observed in this attack, as well as other associated samples identified by FireEye are all signed with a common digital certificate purporting to be from 北京研创达科技有限公司 (Beijing Institute of Science and Technology Co., Ltd). Stolen or illegitimately purchased code signing certificates are increasingly used to lend legitimacy to malware. See the appendix for full details on the observed code signing certificate.
In conclusion, the addition of EternalBlue to Metasploit has made things very easy for attackers to exploit these flaws. Researchers expect more threat groups to start leveraging the same vulnerabilities to deliver different payloads.
Yeah I had this happen.. it’s been here for years.. laying undercover.. I bet it’s widespread.. only sign was a quick flash if access vdisk when opening diskviewer.. command found no virtual disk.. an as I dug deeper it reared its head lol.. now locked out of network devices.. any iso I download are redirected.. it’s in the firmware.. had to replace my motherboard ram and gpu to clean my primary pc.. ad it worms so… I bet a huge chunk of people have this if they use windows.. I’m very experience in computer repair and diagnostics… heck even other techs I’ve shown just shrug.. only good ones even recognize this as anything except a windows file corruption. An then show em the windows image has a linux boot file system embedded hahaha… very few would know they had it even less could get it out