Banking Trojan Uses NSA-Linked Exploit

Discussion in 'malware problems & news' started by itman, Sep 26, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I am interpreting this as when the Trojan is dropped, it is using the EternalBlue backdoor code minus the SMBv1 exploit code. So the Microsoft EB patch alone would not protect against the backdoor. Most AVs now have a signature for EB.
    http://www.securityweek.com/banking-trojan-uses-nsa-linked-exploit
     
  2. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Interestingly enough, the new version of this malware has dropped the EB exploit from the coding. Just speculation on my part, but I wonder if the malware group responsible found that their targets have patched systems in place (if not already always in place, the laggards adding it possibly due to Wanna?), so the inclusion of EB would be of no value and would just add an additional IOC for whatever security product to detect (as you pointed out) and alert the user that nastiness is going on.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    My take on this is a number of the NSA exploits contain "industrial grade" backdoor code. As such, they are being "reworked" by malware developers to avoid signature detection; the only way to effectively detect them w/o extensive network monitoring.
     
  4. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    The new versions are without any double-secret exploit coding, and is now just an effective Jscript-powershell_Tor thingy. You are correct about Network monitoring for this one- the Outbound requests from the Powershell and Tor components will make a Network Monitor light up like a Christmas Tree.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.