Kaspersky says it detected infections with DarkPulsar, alleged NSA malware

guest · Oct 19, 2018

Kaspersky says it detected infections with DarkPulsar, alleged NSA malware
October 19, 2018
https://www.zdnet.com/article/kaspe...fections-with-darkpulsar-alleged-nsa-malware/

Kaspersky Lab said today that it detected computers infected with DarkPulsar, a malware implant that has been allegedly developed by the US National Security Agency (NSA).

[...] it was one one of the many hacking tools that were dumped online in the spring of 2017. The hacking tools were leaked by a group of hackers known as the Shadow Brokers [...]

DarkPulsar went mostly unnoticed for more than 18 months as the 2017 dump also included EternalBlue, the exploit that powered last year's three ransomware outbreaks --WannaCry, NotPetya, and Bad Rabbit. [...] Almost all the infosec community's eyes have been focused on EternalBlue for the past year

But in a report released today, Kaspersky researchers said the DarkPulsar code included in the Shadow Brokers leak isn't the entirety of DarkPulsar. [...] "it it is not a backdoor itself, but the administrative part only," Kaspersky said.
Click to expand...

A full technical breakdown of the DarkPulsar malware is avalable in this Kaspersky report.
Click to expand...

EASTER · Oct 19, 2018

mood said: ↑

Kaspersky says it detected infections with DarkPulsar, alleged NSA malware
October 19, 2018
https://www.zdnet.com/article/kaspe...fections-with-darkpulsar-alleged-nsa-malware/
Click to expand...

@itman was all over this thing and those others last summer and made for some super interesting topic discussions on each one that was published/released. I don't think there's enough years in a single human lifetime to learn all the techniques that Windows has made possible courtesy their O/S codes and branches of implementation so far.

Seems others were curious enough to experiment with what used to have evasion properties from most if not all AV detections.

itman · Oct 19, 2018

Unlike DoublePulsar, DarkPulsar is an implant of Fuzzbunch:

One of the most interesting Fuzzbunch’s categories is called ImplantConfig and includes plugins designed to control the infected machines via an implant at the post-exploitation stage. DarkPulsar is a very interesting administrative module for controlling a passive backdoor named ‘sipauth32.tsp’ that provides remote control, belonging to this category.

DarkPulsar technical highlights

The DarkPulsar implant is a dynamic library whose payload is implemented in exported functions. These functions can be grouped as follows:

Two nameless functions used to install the backdoor in the system.

Functions with names related to TSPI (Telephony Service Provider Interface) operations that ensure the backdoor is in the autorun list and launched automatically.

A function with a name related to SSPI (Security Support Provider Interface) operations. It implements the main malicious payload.

The implementations of the SSPI and TSPI interfaces are minimalistic: the functions that are exported by DarkPulsar have the same names as the interface functions; however, they include malicious code instead of the phone service.

The implant is installed in the system by the nameless exported function. The backdoor is launched by calling Secur32.AddSecurityPackage with administrator privileges with the path to its own library in the parameter, causing lsass.exe to load DarkPulsar as SSP/AP and to call its exported function SpLsaModeInitialize used by DarkPulsar to initialize the backdoor. In this way AddSecurityPackage is used to inject code into lsass.exe. It also adds its library name at HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony\Providers

This is loaded at start by the Telephony API (TapiSrv) launched alongside the Remote Access Connection Manager (RasMan) service, setting startup type as “Automatic”. When loading the telephony service provider’s library, TapiSrv calls TSPI_lineNegotiateTSPIVersion which contains the AddSecurityPackage call to make the inject into lsass.exe.

DarkPulsar implements its payload by installing hooks for the SpAcceptLsaModeContext – function responsible for authentication. Such injects are made in several system authentication packets within the process lsass.exe and allow Darkpulsar to control authentication process based on the following protocols:

Msv1_0.dll – for the NTLM protocol,

Kerberos.dll – for the Kerberos protocol,

Schannel.dll – for the TLS/SSL protocols,

Wdigest.dll – for the Digest protocol, and

Lsasrv.dll –for the Negotiate protocol.

After this, Darkpulsar gets ability to embed malware traffic into system protocols. Since this network activity takes place according to standard system charts, it will only be reflected in the System process – it uses the system ports reserved for the above protocols without hindering their normal operation.
Click to expand...

https://securelist.com/darkpulsar/88199/

Per the zdnet.com article:

"We found around 50 victims, but believe that the figure was much higher," Kaspersky Lab researchers said today.
Click to expand...

I agree ………. much, much higher.

itman · Oct 19, 2018

DarkPulsar code located on GitHub here: https://github.com/adamcaudill/EquationGroupLeak/blob/master/windows/implants/Darkpulsar-1.1.0.9.xml

mekelek · Oct 19, 2018

uh oh kaspersky is detecting NSA originated stuff, time to make sure it's even more banned from the US.

EASTER · Oct 19, 2018

itman said: ↑

DarkPulsar code located on GitHub here: https://github.com/adamcaudill/EquationGroupLeak/blob/master/windows/implants/Darkpulsar-1.1.0.9.xml
Click to expand...

Thanks for that. Another piece of fun to play with and read into their makings of a sneak malware.

Log in or Sign up

Kaspersky says it detected infections with DarkPulsar, alleged NSA malware

guest Guest

EASTER Registered Member

itman Registered Member

itman Registered Member

mekelek Registered Member

EASTER Registered Member

Log in or Sign up

Kaspersky says it detected infections with DarkPulsar, alleged NSA malware

guest Guest

EASTER Registered Member

itman Registered Member

itman Registered Member

mekelek Registered Member

EASTER Registered Member

Useful Searches