The notorious EternalBlue exploit was leaked from the NSA a couple of months ago. The aftermath from this revelation continues to get more severe with time. The first major implementations of the exploit were WannaCry ransomware and Adylkuzz cryptocurrencyminer.
A few weeks after these two infections rose to prominence, security researchers are reporting about other instances where EternalBlue is implemented. Experts have found that hackers are utilizing the vulnerability in Microsoft Server Message Block (SMB) protocol. Threat artists have been cited to distribute the payloads of malware like Backdoor.Nitol and Gh0st RAT.
The latter infections belong to the Trojan category. Backdoor.Nitol is used to open a backdoor in the targeted device. Gh0st RAT is a remote access Trojan, as evidenced by the abbreviation in its name. This virus is a veteran in the branch, with a history of several years. The infection has sophisticated capabilities. It gives attackers full access to the targeted computer and the ability to attain complete control over it. Gh0st RAT has been used in extensive cyber espionage and data stealing campaigns.
Cyber security company FireEye reports that the payloads of Backdoor.Nitol and Gh0st RAT have previously been used to launch cyber attacks on the aerospace and defence industry. Gh0st RAT has also been involved in targeted attacks on government agencies and activists.
“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” shared FireEye experts in a blog post. “The initial exploit technique used at the SMB level is similar to what we have been seen in WannaCry campaigns”.
“However, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.”
Researchers stated that the exploit combination of EternalBlue and VBScript has been utilized to distribute Gh0st RAT in Singapore and Backdoor.Nitol throughout the South Asia region.
Hacker group Shadow Brokers is credited for exposing the EternalBlue exploit which has allegedly been used by the NSA. The exploit was released as part of a cache in April.
Security researchers have expressed their concern about the situation surrounding this vulnerability. Having EternalBlue available for all threat actors to freely operate with gives the potential for more sophisticated and frequent cyber attacks.
“The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities,” FireEye concluded. “In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads”.
“It is critical that Microsoft Windows users patch their machines and update to the latest software versions as soon as possible.”