Threat Management, Malware, Ransomware

EternalBlue, used in WannaCry, now with Nitol backdoor and Gh0st RAT

An exploit used in the recent WannaCry ransomware campaign now comes loaded with the Nitol backdoor and Gh0st RAT malware, according to a report from FireEye posted on June 2.

The exploit dubbed EternalBlue (MS017-010) was first detected being used in the WannaCry ransomware as well as a cryptocurrency miner, Adylkuzz. With knowledge of its target – Microsoft Server Message Block (SMB) protocol – more threat actors have picked up on its capabilities to add on Backdoor.Nitol and Trojan Gh0st RAT, said the FireEye report.

Gh0st RAT has been in wide circulation for years targeting Windows machines. It's been used in APT attacks targeting government departments, as well as political activists.

Backdoor.Nitol has been associated with campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object affecting older versions of Internet Explorer, FireEye explained.

The researchers reported that both payloads were previously spotted via exploitation of CVE-2014-6332 vulnerability and in email spam campaigns using powershell commands, particularly against the aerospace and defense industry.

"The initial exploit technique used at the SMB level is similar to what we have been seen in WannaCry campaigns," the FireEye report stated. "However, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server."

The strategy has been detected in use in Singapore and the South Asia region.

Once EternalBlue was added to Metasploit, threat actors were provided with easier access to take advantage, the report concluded. Infections with new payloads will only increase in the coming weeks and months, they added.

Microsoft Windows users should patch their machines and upgrade to the latest software versions immediately, the FireEye team stressed.

“The broad success of the WannaCry incident demonstrates that this vulnerability is prevalent, and that's an advantage for attackers," Tim Erlin, VP product management and strategy for Tripwire, told SC Media on Monday. He too said he expects the attackers will continue exploiting this vulnerability for as long as it's productive. 

“Obviously patching is ideal to protect systems, but there are cases where a patch isn't possible or may be delayed," Erlin said. "In these cases, organizations should take other mitigation steps, such as blocking network ports, disabling unnecessary services, and monitoring for exploit activity. Regardless of what mitigation is possible, the first step is to identify all the vulnerable systems."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.