Kaspersky Lab said today that it detected computers infected with DarkPulsar, a malware implant that has been allegedly developed by the US National Security Agency (NSA).
“We found around 50 victims, but believe that the figure was much higher,” Kaspersky Lab researchers said today.
“All victims were located in Russia, Iran, and Egypt, and typically Windows 2003/2008 Server was infected,” the company said. “Targets were related to nuclear energy, telecommunications, IT, aerospace, and R&D.”
Kaspersky researchers were able to analyze DarkPulsar because it was one one of the many hacking tools that were dumped online in the spring of 2017.
The hacking tools were leaked by a group of hackers known as the Shadow Brokers, who claimed they stole them from the Equation Group, a codename given by the cyber-security industry to a group that’s universally believed to be the NSA.
DarkPulsar went mostly unnoticed for more than 18 months as the 2017 dump also included EternalBlue, the exploit that powered last year’s three ransomware outbreaks –WannaCry, NotPetya, and Bad Rabbit.
Almost all the infosec community’s eyes have been focused on EternalBlue for the past year, and for a good reason, as the exploit has now become commodity malware.
But in recent months, Kaspersky researchers have also started to dig deeper into the other hacking tools leaked by the Shadow Brokers last year.
They looked at FuzzBunch, which is an exploit framework that the Equation Group has been using to deploy exploits and malware on victims’ systems using a CLI interface similar to the Metasploit pen-testing framework.
They also looked at DanderSpritz, a FuzzBunch plugin that works as a GUI application for controlling infected victims.
DarkPulsar is a FuzzBunch “implant,” a technical term that means “malware,” that’s often used together with DanderSpritz.
But in a report released today, Kaspersky researchers said the DarkPulsar code included in the Shadow Brokers leak isn’t the entirety of DarkPulsar.
“We analyzed this tool and understood that it is not a backdoor itself, but the administrative part only,” Kaspersky said.
A major breakthrough came when they realized that some constants from the DarkPulsar administrative interface code were also most likely used by the actual malware.
Researchers created special rules to detect these constants in files scanned by the Kaspersky antivirus. This is how they detected the roughly 50 computers that were still infected with the actual DarkPulsar malware.
Based on the functions they found in the DarkPulsar admin interface, researchers say the malware is primarily used as a backdoor to infected computers.
The malware’s main features are its ability to run arbitrary code via a function named “RawShellcode” and the ability to upload other DanderSpritz payloads (malware) via the “EDFStageUpload” function, greatly expanding the operator’s hold and capabilities on an infected system.
Kaspersky researchers also believe that the number of computers that have been infected with DarkPulsar is most likely larger than the 50 detections they found.
The malware also included a self-delete function, which Equation Group operators likely used to cover their tracks after the Shadow Brokers dumped their tools online.
“So the 50 victims are very probably just ones that the attackers have simply forgotten,” researchers said.
As for who is behind these hacks, Kaspersky didn’t say. It is unclear if the Shadow Brokers managed to get their hands on the full DarkPulsar malware but then opted not to include the actual backdoor in the package of leaked tools.
These 50 infections could very easily be the work of Equation Group cyber-espionage operations or the work of the Shadow Brokers themselves.
A full technical breakdown of the DarkPulsar malware is avalable in this Kaspersky report.