Not Only WannaCry: EternalBlue Exploit Brings New Attacks

After EternalBlue was published, did anyone else use it? Or just the creators of WannaCry? Before answering this question, let's take a look at the history of the vulnerability that provided the path to the EternalBlue exploit.

October 25, 2001 : Microsoft releases the Windows XP operating system, which has become one of the company's most successful projects. It contains a critical vulnerability (which no one knows about), which was later transmitted to all future versions of the operating system.

March 14, 2017 : Microsoft has published an update that addresses this vulnerability S17-010.

April 14, 2017 : The Shadow Brokers group published an exploit of the EternalBlue from the NSA cyber arsenal, which allows exploiting this vulnerability.

May 12, 2017: WannaCry , a network worm that uses EternalBlue to spread and run the encryptor on compromised computers, has appeared.

WannaCry managed to attract the attention of all, without exception, but this is not the first attack that used the EternalBlue exploit, and perhaps not the last. In fact, we at the PandaLabs antivirus lab recently watched a new attack that uses the exploit for completely different purposes. After a thorough analysis, we obtained evidence that at least one group of cyber criminals had exploited this vulnerability since April 24, 2017, a few weeks before the appearance of WannaCry.

Attackers used a security flaw to infiltrate other people's computers, but instead of installing malware, they used different tactics.

After successfully launching the exploit via the SMB protocol, the attackers used the kernel code to inject themselves into the “lsass.exe” process, which is always present on Windows systems. Unlike the WannaCry attack, which directly injects malicious code into the process, in this case, the hackers used it in another way:



Through this process, the attackers activated a wide range of commands to guarantee “survival”. Most of the actions were performed using their own Windows utilities or other non-malicious tools, which allowed them to avoid detection by traditional anti-virus solutions.

Then they could, for example, create a new user, download the components of the utilities they use, stop the old versions of the utilities that were installed earlier, register everything necessary at startup to increase their “survival”, plan the execution of the required actions ...


Panda Adaptive application behavior analysis utility Defense

We were also able to check the dynamics of the actions that were performed by this group of attackers. For example, after gaining control, they closed port 445 to prevent other hackers from exploiting MS17-010.



Paradoxically, the attackers involuntarily helped their victims, because this step did not allow infecting other computers with the WannaCry worm.

One of the goals of this attack was to install the software necessary for mining the Monero cryptocurrency, which is an analog of the well-known Bitcoin.

Finally, we saw how it was installed as a service and launched a mining program:



This attack did not become a problem for Adaptive Defense , because in addition to many different technologies, this solution is equipped with behavioral BitcoinMiner detection technologies.