This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

The “EternalBlue” exploit (MS017-010)
was initially used by WannaCry ransomware and Adylkuzz cryptocurrency
miner. Now more threat actors are leveraging the vulnerability in Microsoft
Server Message Block (SMB) protocol
– this time to distribute
Backdoor.Nitol and Trojan Gh0st RAT.

FireEye Dynamic Threat Intelligence (DTI) has historically observed
similar payloads delivered via exploitation of CVE-2014-6332
vulnerability as well as in some email spam campaigns using powershell
. Specifically, Backdoor.Nitol has also been linked to
campaigns involving a remote code execution vulnerability using the
ADODB.Stream ActiveX Object that affects older versions of Internet
Explorer. Both payloads have previously been involved in targeted cyber-attacks
against the aerospace and defense industry

We observed lab machines vulnerable to SMB exploit were attacked by
a threat actor using the EternalBlue exploit to gain shell access to
the machine.

Figure 1 shows an EternalBlue exploitation attempt.

Figure 1. Network traffic showing EternalBlue
attack attempt

The initial exploit technique used at the SMB
is similar to what we have been seen in WannaCry
; however, once a machine is successfully infected, this
particular attack opens a shell to write instructions into a VBScript
file and then executes it to fetch the payload on another server.

We have observed the same EternalBlue and VBScript combination used
to distribute  Gh0st RAT in Singapore, as well as Backdoor.Nitol being
delivered in the South Asia region.

Figure 2. VBScript instructions in ‘1.vbs’

The full VBScript instructions can be seen in Figure 2. The attacker
echoes instructions into a new ‘1.vbs’ file to be executed later.
 These instructions fetch the  payload ‘taskmgr.exe’ from another
server in a synchronous call (as indicated by the second parameter
‘0’).  This action creates an ActiveX object ADODB.Stream, which
allows reading the file coming from the server and writes the result
of the binary data in a stream. Mode ‘3’ is used for read/write
permissions while type ‘1’ indicates stream as binary data.
Thereafter, it saves the binary stream to a location at “c:/” with
option ‘2’ in order to overwrite any binary with the same name at that location.

Later, we see that ‘1.vbs’ executes through a command-line version
of the Windows Script Host which deletes the vbs file. Once the
executable is fetched and saved, the attacker uses a shell to launch
the backdoor from the saved location.

Figure 3 shows Backdoor.Nitol being downloaded and infecting the machine.

Figure 3. Network traffic showing Backdoor.Nitol download

The command and control (C2) for the Backdoor.Nitol sample is
hackqz.f3322[.]org (  See Figure 4.

Figure 4. Backdoor.Nitol C2 communication

The other malware that we’ve observed being deployed in this manner
is Gh0st RAT. The observed dropper downloads the Gh0st RAT binary from
beiyeye.401hk[.]com (Figure 5).

Figure 5. Gh0st RAT C2 communication

The first five bytes in the header of the Gh0st RAT traffic is an
indication of the Gh0st variant used. Historically we have seen
wide-spread usage of variants employing the ‘cb1st’ magic
header against the Education, Energy/Utilities, Manufacturing,
Services/Consulting, and Telecom industries. For more information on
this and other widely used variants of Gh0st RAT, please review GH0ST
in the Machine: GH0ST RAT Remains Active in Financial Services
available on our subscription MySight portal.

The Gh0St RAT sample observed in this attack, as well as other
associated samples identified by FireEye are all signed with a common
digital certificate purporting to be from 北京研创达科技有限公司 (Beijing
Institute of Science and Technology Co., Ltd). Stolen or
illegitimately purchased code signing certificates are increasingly
used to lend legitimacy to malware. See the appendix for full details
on the observed code signing certificate.


The addition of the EternalBlue exploit to Metasploit has made it
easy for threat actors to exploit these vulnerabilities. In the coming
weeks and months, we expect to see more attackers leveraging these
vulnerabilities and to spread such infections with different payloads.
It is critical that Microsoft Windowsusers patch their machines and
update to the latest software versions as soon as possible.


FireEye Labs authors would like to thank Shahzad Ahmad and Kean
Siong Tan for their contributions in this discovery.


SHA sum

Downloader / taskmgr.exe  (Nitol)
beiyeye.401hk[.]com:1541 / systemUpdate.exe (Gh0st)

C2  (Nitol) (Nitol)
bj6po.a1free9bird[.]com (Gh0st)

Code-Signing Certificate

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,