Tuesday, November 26, 2024
HomeBackdoorDarkPulsar - A Shadow Brokers Group's New Hacking Tool Leak To Open...

DarkPulsar – A Shadow Brokers Group’s New Hacking Tool Leak To Open Backdoor & Provide Remote Control

Published on

Shadow Brokers Hacking Group’s new administrative module Tool called DarkPulsar Leaks with persistance backdoor to provide remote control to the attackers.

There are two sophisticated Frameworks called DanderSpritz and FuzzBunch published in 2017 by the same Shadow Brokers.

Frameworks framework modules contain various persistance and advanced functionalities with a variety of plugins that designed to analyze victims, exploit vulnerabilities, schedule tasks, and the other module helps to monitor already controlled machines.

- Advertisement - SIEM as a Service

This cyber-espionage campaign leak called “Lost in Translation” contain new implant DarkPulsar discovered.

It acts as an administrative module during the post-exploitation stage and enables the remote control by controlling a passive backdoor named ‘sipauth32.tsp’.

Attackers mainly targeting  Windows 2003/2008 Server and victims are mainly targeting nuclear energy, telecommunications, IT, aerospace, and R&D that located Russia, Iran, and Egypt.

Researchers identified that there are 50 victims have been initially identified but they believe much higher when the Fuzzbunch and DanderSpritz frameworks were actively used also attacker delete their malware from victim computers once they stopping their cyber-espionage campaign.

DarkPulsar Infection Process

Initially, 2 nameless exported functions are used to install the backdoor on targeted victims machine and the function name related to 2 names.

  •  TSPI (Telephony Service Provider Interface) –  ensure the backdoor is in the autorun list
  •  SSPI (Security Support Provider Interface) –  Implement the main malicious payload.

DarkPulsar is responsible for export the functions and it has the same name as the interface functions.

According to Kaspersky research, The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor.

Later DarkPulsar control the authentication process based on the following protocols

  • Msv1_0.dll – for the NTLM protocol,
  • Kerberos.dll – for the Kerberos protocol,
  • Schannel.dll – for the TLS/SSL protocols,
  • Wdigest.dll – for the Digest protocol, and
  • Lsasrv.dll –for the Negotiate protocol.

Once it successfully obtains the above process, it gets the ability to embed malware traffic into system protocols and it will be reflected the System process

Network traffic during successful connection

“Another advantage of the controlling authentication is the ability to bypass entering a valid username and password for obtaining access to objects that require authentication such as processes list, remote registry, file system through SMB. “

Researchers not seen any techniques for stealing money in this implant, but it is worth keeping in mind that this implant can run any executable code, so its functionality can be increased significantly. Kaspersky said.

Read More:

APT Group Uses Datper Malware To Launch Cyber Attack on Asia Countries by Executing Shell Commands

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload...

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions...

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload...

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions...

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...