DoublePulsar
DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.[1] The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,[2][3][1][4][5] and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.[6][7][8]
Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.[9][10] He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system.[3] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.[9]
References
- 1 2 "DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump". 25 April 2017.
- ↑ Sterling, Bruce. "Double Pulsar NSA leaked hacks in the wild".
- 1 2 "Seriously, Beware the 'Shadow Brokers'". 4 May 2017 – via www.bloomberg.com.
- ↑ "Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage".
- ↑ ">10,000 Windows computers may be infected by advanced NSA backdoor".
- ↑ Cameron, Dell. "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It".
- ↑ Fox-Brewster, Thomas. "How One Simple Trick Just Put Out That Huge Ransomware Fire".
- ↑ "Player 3 Has Entered the Game: Say Hello to 'WannaCry'". blog.talosintelligence.com. Retrieved 2017-05-15.
- 1 2 "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". zerosum0x0.blogspot.com. Retrieved 2017-05-16.
- ↑ "NSA's DoublePulsar Kernel Exploit In Use Internet-Wide". threatpost.com. Retrieved 2017-05-16.