A powerful NSA malware dubbed DarkPulsar, that was leaked last year, is now being used by cybercriminals to target industries such as the nuclear energy, IT, telecommunications, aerospace, and Research & Development. So far, security researchers have discovered around 50 victims targeted by DarkPulsar, but suspect there may be many more.
DarkPulsar was one among several of the NSA’s hacking tools that was leaked by the mysterious Shadow Brokers cybergang in March 2017. The Shadow Brokers likely stole the hacking tools from the NSA’s elite hacking unit called the Equation Group and later attempted to sell and auction off the stolen trove of tools.
DarkPulsar went unnoticed for a while, given how it was eclipsed by the EternalBlue exploit, which was also publicly released at the same time. EternalBlue was later leveraged by cybercriminals to develop destructive malware variants such as WannaCry and NotPetya.
However, DarkPulsar was discovered by security researchers at Kaspersky Labs when they dug deep into FuzzBunch and DanderSpritz. While FuzzBunch is an exploit framework, DanderSpritz consists of plugins that facilitate intelligence-gathering and control infected systems.
“DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims,” Kaspersky researchers said in a report. “Fuzzbunch, on the other hand, provides a framework for different utilities to interact and work together. It contains various types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, etc.”
DarkPulsar supports commands such as Burn, RawShellcode, UpgradeImplant, and PingPong, among others. These commands can remove implants, run arbitrary code, check whether the backdoor is installed on a remote system and also upgrade the implant.
“Darkpulsar-1.1.0 was not designed as a standalone program for managing infected machines. This utility is a plugin of the Fuzzbunch framework that can manage parameters and coordinate different components,” the researchers added. “DanderSpritz is the framework for controlling infected machines, different from FuZZbuNch as the latter provides a limited toolkit for the post-exploitation stage with specific functions such as DisableSecurity and EnableSecurity for DarkPulsar.”
Meanwhile, DanderSpritz could also work with a much wider range of backdoor malware variants, when combined with one of its plugins, PeddleCheap. This DanderSpritz plugin can be used to connect to infected systems and configure implants.
According to Kaspersky researchers, FuzzBunch and DanderSpritz are flexible and designed to expand compatibility with other hacking tools. Both contain plugins that can conduct tasks such as reconnaissance and managing infected systems.
“The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness,” Kaspersky researchers said. “The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.”