Hackers are using same Microsoft Server Message Block (SMB) protocol vulnerability (MS017-010), used in the WannaCry outbreak, to disperse Backdoor.Nitol and Trojan Gh0st RAT, according to FireEye.
“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” said the researchers in a recent blogpost.
They said that the initial exploit technique used at the SMB level is similar to what they had seen in WannaCry campaigns; “however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.”
They added that the combination of EternalBlue and VBScript has been used to distribute Gh0st RAT in Singapore, as well as Backdoor.Nitol being delivered in the South Asia region.
“The attacker echoes instructions into a new ‘1.vbs’ file to be executed later. These instructions fetch the payload ‘taskmgr.exe’ from another server in a synchronous call,” said the report. “This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream.”
The researchers added that the ‘1.vbs’ executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location.
“The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” warned the researchers.
“It is critical that Microsoft Windows users patch their machines and update to the latest software versions as soon as possible.”
This article originally appeared at scmagazineuk.com