Thursday, March 28, 2024

DarkPulsar – A Shadow Brokers Group’s New Hacking Tool Leak To Open Backdoor & Provide Remote Control

Shadow Brokers Hacking Group’s new administrative module Tool called DarkPulsar Leaks with persistance backdoor to provide remote control to the attackers.

There are two sophisticated Frameworks called DanderSpritz and FuzzBunch published in 2017 by the same Shadow Brokers.

Frameworks framework modules contain various persistance and advanced functionalities with a variety of plugins that designed to analyze victims, exploit vulnerabilities, schedule tasks, and the other module helps to monitor already controlled machines.

This cyber-espionage campaign leak called “Lost in Translation” contain new implant DarkPulsar discovered.

It acts as an administrative module during the post-exploitation stage and enables the remote control by controlling a passive backdoor named ‘sipauth32.tsp’.

Attackers mainly targeting  Windows 2003/2008 Server and victims are mainly targeting nuclear energy, telecommunications, IT, aerospace, and R&D that located Russia, Iran, and Egypt.

Researchers identified that there are 50 victims have been initially identified but they believe much higher when the Fuzzbunch and DanderSpritz frameworks were actively used also attacker delete their malware from victim computers once they stopping their cyber-espionage campaign.

DarkPulsar Infection Process

Initially, 2 nameless exported functions are used to install the backdoor on targeted victims machine and the function name related to 2 names.

  •  TSPI (Telephony Service Provider Interface) –  ensure the backdoor is in the autorun list
  •  SSPI (Security Support Provider Interface) –  Implement the main malicious payload.

DarkPulsar is responsible for export the functions and it has the same name as the interface functions.

According to Kaspersky research, The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor.

Later DarkPulsar control the authentication process based on the following protocols

  • Msv1_0.dll – for the NTLM protocol,
  • Kerberos.dll – for the Kerberos protocol,
  • Schannel.dll – for the TLS/SSL protocols,
  • Wdigest.dll – for the Digest protocol, and
  • Lsasrv.dll –for the Negotiate protocol.

Once it successfully obtains the above process, it gets the ability to embed malware traffic into system protocols and it will be reflected the System process

Network traffic during successful connection

“Another advantage of the controlling authentication is the ability to bypass entering a valid username and password for obtaining access to objects that require authentication such as processes list, remote registry, file system through SMB. “

Researchers not seen any techniques for stealing money in this implant, but it is worth keeping in mind that this implant can run any executable code, so its functionality can be increased significantly. Kaspersky said.

Read More:

APT Group Uses Datper Malware To Launch Cyber Attack on Asia Countries by Executing Shell Commands

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles