Last week many of us in the industry were busy investigating a large cache of weaponized software exploits and payloads released by the ShadowBrokers group. One particular payload that received much attention was the DOUBLEPULSAR implant.
DOUBLEPULSAR is a covert command and control channel that can be used to control a compromised target. While many of the exploits that were released by the Shadow Brokers dump allow attackers to compromise a target, DOUBLEPULSAR can be used to maintain control of that compromised target in a covert manner. Attackers communicate with compromised targets using the Transaction 2 Subcommand Extension SMB feature, a feature that has not officially been used in SMB so far. If a system is compromised, an attacker can gather sensitive data, execute commands, or use the system to launch attacks against other systems in your network.
Systems that are compromised by DOUBLEPULSAR will respond to a trans2 SESSION_SETUP with a Not Implemented message that contains a Multiplex ID of 81 while a system that is not compromised will respond with the same message and a Multiplex ID of 65.
DOUBLEPULSAR can be identified by both Nessus® and PVS™. Tenable customers can use Nessus plugin ID 99439 to actively scan their networks for any hosts that are compromised.
In addition to actively scanning for DOUBLEPULSAR, PVS customers can leverage Plugin 700059 to listen for connections to compromised targets.
SecurityCenter® users can quickly identify all hosts compromised by DOUBLEPULSAR by leveraging the Shadow Brokers Vulnerability Detection dashboard. This dashboard was updated to include DOUBLEPULSAR, please re-download the dashboard to get the updated matrix.
The presence of DOUBLEPULSAR is not just a potential vulnerability on a system in your network. It means that the target is compromised and can be potentially used to exfiltrate highly sensitive data or run arbitrary commands on the system. There have been reports of scripts actively scanning the internet looking for the existence of this backdoor. By using Nessus and PVS, you can identify any compromised hosts and cut off access.
Many thanks to Andrew Orr and Ian Parker for their contributions to this blog.