Shadow Brokers Hacking Group’s new administrative module Tool called DarkPulsar Leaks with persistance backdoor to provide remote control to the attackers.
There are two sophisticated Frameworks called DanderSpritz and FuzzBunch published in 2017 by the same Shadow Brokers.
Frameworks framework modules contain various persistance and advanced functionalities with a variety of plugins that designed to analyze victims, exploit vulnerabilities, schedule tasks, and the other module helps to monitor already controlled machines.
This cyber-espionage campaign leak called “Lost in Translation” contain new implant DarkPulsar discovered.
It acts as an administrative module during the post-exploitation stage and enables the remote control by controlling a passive backdoor named ‘sipauth32.tsp’.
Attackers mainly targeting Windows 2003/2008 Server and victims are mainly targeting nuclear energy, telecommunications, IT, aerospace, and R&D that located Russia, Iran, and Egypt.
Researchers identified that there are 50 victims have been initially identified but they believe much higher when the Fuzzbunch and DanderSpritz frameworks were actively used also attacker delete their malware from victim computers once they stopping their cyber-espionage campaign.
DarkPulsar Infection Process
Initially, 2 nameless exported functions are used to install the backdoor on targeted victims machine and the function name related to 2 names.
- TSPI (Telephony Service Provider Interface) – ensure the backdoor is in the autorun list
- SSPI (Security Support Provider Interface) – Implement the main malicious payload.
DarkPulsar is responsible for export the functions and it has the same name as the interface functions.
According to Kaspersky research, The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor.
Later DarkPulsar control the authentication process based on the following protocols
- Msv1_0.dll – for the NTLM protocol,
- Kerberos.dll – for the Kerberos protocol,
- Schannel.dll – for the TLS/SSL protocols,
- Wdigest.dll – for the Digest protocol, and
- Lsasrv.dll –for the Negotiate protocol.
Once it successfully obtains the above process, it gets the ability to embed malware traffic into system protocols and it will be reflected the System process
“Another advantage of the controlling authentication is the ability to bypass entering a valid username and password for obtaining access to objects that require authentication such as processes list, remote registry, file system through SMB. ”
Researchers not seen any techniques for stealing money in this implant, but it is worth keeping in mind that this implant can run any executable code, so its functionality can be increased significantly. Kaspersky said.