EternalBlue, the exploit used in the WannaCry ransomware outbreak, is now being leveraged to distribute the Nitol backdoor and Gh0st RAT malware.
Security researchers at FireEye said, just as WannaCry criminals did, threat actors are leveraging the same Microsoft Server Message Block (SMB) protocol vulnerability (MS017-010).
“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” wrote co-authors Ali Islam, Christopher Glyer and Barry Vengerik in a FireEye report posted Friday.
Gh0st RAT is a Trojan that has targeted the Windows platform for years. It has primarily been a nation-state tool used in APT attacks against government agencies, activists and other political targets. Gh0st recently made headlines when instances of the RAT were found by the Shodan tool called Malware Hunter, a new crawler designed to find command and control servers.
According to FireEye, Backdoor Nitol has been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. In the past, Backdoor Nitol and Gh0st have also been delivered via exploitation of the CVE-2014-6332 vulnerability and in spam campaigns that target PowerShell commands, researchers said.
“The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server,” researchers wrote.
Researchers said they have seen the same EternalBlue and VBScript combination used to distribute Gh0st RAT in Singapore and Backdoor Nitol in the South Asia region.
The analysis of how Backdoor.Nitol and Gh0st exploit Windows follows the threat actors behind WannaCry – attackers send specially crafted messages to a Microsoft SMBv1 server.
The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads. It is critical that Microsoft Windows users patch their machines and update to the latest software versions as soon as possible.