“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” said the researchers in a recent blogpost.
They said that the initial exploit technique used at the SMB level is similar to what they had seen in WannaCry campaigns; “however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.”
They added that the combination of EternalBlue and VBScript has been used to distribute Gh0st RAT in Singapore, as well as Backdoor.Nitol being delivered in the South Asia region.
“The attacker echoes instructions into a new ‘1.vbs' file to be executed later. These instructions fetch the payload ‘taskmgr.exe' from another server in a synchronous call,” said the report. “This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream.”
The researchers added that the ‘1.vbs' executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location.
“The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” warned the researchers.
“It is critical that Microsoft Windows users patch their machines and update to the latest software versions as soon as possible.”
Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC Media UK that “EternalBlue is an extremely effective delivery mechanisms for all kinds of malware, and we expect anything to ride on it, from remote access Trojans to banker malware or keyloggers.”
Thomas Fischer, global security advocate at Digital Guardian, told SC, that most systems were vulnerable to the EternalBlue exploit either because they had not been patched by companies or because the SMB vulnerabilities were made accessible via the Internet.
“Looking back at WannaCry, we know that the infection spread because of unpatched systems. While many companies will now have applied to patch, attackers are no doubt betting on there being at least some vulnerable systems remaining. This will probably be in cases where patching may not be possible, such as embedded systems, or in those using pirated copies of Windows. The latter is what led to the proliferation of WannaCry in China,” he said.
Marco Cova, senior security researcher at Lastline, told SC that patching whenever feasible, should be the element at the top of the list.“When patching is not practical, there are still many countermeasures that greatly reduce the risk of exposure: disabling the vulnerable service (SMB in this case) if possible; isolating the vulnerable machines in network segments that are not exposed to the Internet; preventing unnecessary connections to the vulnerable machines even from internal machines; using monitoring tools that can alert of possible ongoing attacks,” he said.