EternalBlue Exploit Spreading Gh0st RAT, Nitol

FireEye said threat actors are using the NSA’s EternalBlue exploit of the same Microsoft SMBv1 vulnerability as WannaCry to spread Nitol and Gh0st RAT.

EternalBlue, the exploit used in the WannaCry ransomware outbreak, is now being leveraged to distribute the Nitol backdoor and Gh0st RAT malware.

Security researchers at FireEye said, just as WannaCry criminals did, threat actors are leveraging the same Microsoft Server Message Block (SMB) protocol vulnerability (MS017-010).

“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” wrote co-authors Ali Islam, Christopher Glyer and Barry Vengerik in a FireEye report posted Friday.

Gh0st RAT is a Trojan that has targeted the Windows platform for years. It has pimarily been a nation-state tool used in APT attacks against government agencies, activists and other political targets. Gh0st recently made headlines when instances of the RAT were found by the Shodan tool called Malware Hunter, a new crawler designed to find command and control servers.

According to FireEye, Backdoor.Nitol has been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. In the past, Backdoor.Nitol and Gh0st have also been delivered via exploitation of the CVE-2014-6332 vulnerability and in spam campaigns that target PowerShell commands, researchers said.

“The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server,” researchers wrote.

Researchers said they have seen the same EternalBlue and VBScript combination used to distribute Gh0st RAT in Singapore and Backdoor.Nitol in the South Asia region.

The analysis of how Backdoor.Nitol and Gh0st exploit Windows follows the threat actors behind WannaCry – attackers send specially crafted messages to a Microsoft SMBv1 server.

“The attacker echoes instructions into a new ‘1.vbs’ file to be executed later.  These instructions fetch the  payload ‘taskmgr.exe’ from another server in a synchronous call.  This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream,” researchers said.

Ultimately, “the ‘1.vbs’ executes through a command-line version of the Windows Script Host which deletes the vbs file. Once the executable is fetched and saved, the attacker uses a shell to launch the backdoor from the saved location,” researchers said. Next, the Nitol or Gh0st RAT binary is downloaded.

“The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” researchers said.

Suggested articles


  • Scott Fonner on

    Windows 10 Professional 64-bit with an an amd processor and the latest updates will use up all its memory after infection... running a day or so before crashing or restarting. I used task manager to exit IE-11 upon seeing the screen about paying bitcoin. But already it was too late. The encryption was prevented, but not corruption. Anyway, looking through my registy editor I found keys, labeled with random lettered names, but described as "Kaspersky back door with full administrative privileges" by the registry editor" and "IE back door..." etc. I found another and another and another, one named for each installed browser, each anti-spyware, and deleted them all. they were all new open doors. Also, a netgear router hack was used to get to the back doors, the patch for that is in a new firmware update available from netgear.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.