![]() This is what made the WannaCry ransomware so dangerous. The ability of this code to beacon out to other potential SMB targets allows for propagation of the malicious code to other vulnerable machines on connected networks. And if the backdoor is not installed, it’s game on!.Sets up the exploit for the target architecture.Sends an SMB Echo request to the targeted machine.The screenshot above shows that the malware: The EternalBlue code is closely tied with the DoublePulsar backdoor and even checks for the existence of the malware during the installation routine.īits of information obtained by reviewing the EternalBlue-2.2.0.exe file help demonstrate the expected behavior of the software. The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445. The exploit technique is known as heap spraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system. We will present information to support this claim by analyzing the available packet captures, binary files, and content from within the information contained in The Shadow Brokers dump, and correlating what we know thus far regarding the malware infection vector.ĮternalBlue is an SMB exploit affecting various Windows operating systems from XP to Windows 7 and various flavors of Windows Server 2003 & 2008. Rather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware. Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. And now after a thorough review of the collected information, on behalf of the entire Malwarebytes Threat Intelligence team, we feel confident in saying those speculations were incorrect. Some may have seen the rash of news occurring on their feeds, an uptick in ransomware-themed document malware in their honeypots, and then jumped to conclusions as a way to be first with the news.īut here at Malwarebytes we try not to do that. We recently wrote about the Jaff ransomware family and the spam campaign that was delivering it. Not only was the malware outbreak occurring on a Friday afternoon, but around the same time a new ransomware campaign was being heavily distributed via malicious email and the popular Necurs botnet. ![]() But like many others, our traps came up empty.Ĭlaims of WannaCry being distributed via email may have been an easy mistake to make. Admittedly, we also first thought the campaign may have been spread by spam and subsequently spent the entire weekend pouring through emails within the Malwarebytes Email Telemetry system searching for the culprit. This claim will usually be a safe bet, as ransomware is often spread via malicious spam campaigns. ![]() Information quickly spread that a malicious spam campaign had been responsible for circulating the malware. News organizations and other publications were inundating security companies for information to provide to the general public – and some were all too happy to oblige. ![]() News of the infection and the subsequent viral images showing everything from large display terminals to kiosks being affected created pandemonium in ways that haven’t been seen since possibly the MyDoom worm circa 2004. Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. ![]()
0 Comments
Leave a Reply. |