Threat actors are using the same EternalBlue exploit employed by WannaCry to deliver other malware—specifically, a remote access trojan (RAT) typically used to spy on people’s activities or take control of their computers.
During the recent pandemic attack, CyphortLabs discovered a similar attack to one of its honeypot servers.
“We initially thought this is WannaCry, but upon further investigation, we discovered a stealthier RAT,” researchers said, in an analysis. “Unlike WannaCry, this threat infects only once and does not spread. It is not a worm.”
The RAT has plenty of spy features, the firm said, including screen and keyboard monitoring, audio and video surveillance, the ability to transfer, download or delete files and data, and general control of the infected machine. It also takes care to block the exploit from being used for other malware.
“The threat actors probably did not want other threats mingling with their activity,” CyphortLabs said. Researchers added, “At first glance, the threat we discovered may not appear to be as destructive as the WannaCry ransomware, but it may be equally dangerous if not more, depending on the attacker’s intent.”
Interestingly, the analyzed sample was first seen on VirusTotal on April 2—and since then, there have been 12 other similar samples reported. “This is an indication that they might have been using the EternalBlue exploit well before the WannaCry outbreak on May 12,” CyphortLabs said.
It added: “WannaCry ransomware delivered a strong message to the world by being noisy and destructive,” the researchers said. “It seems that the message is clear now; that there are many systems out there that are vulnerable to cyberattacks….In addition, if WannaCry did not happen, we may not be aware of a number of systems that are vulnerable to exploits whether they are zero-day, disclosed or undisclosed, and that makes this type of stealthy threat more dangerous. What will hurt you the most are those things that you did not see coming.”
The researchers believe that the group behind the attack is the same group that spreads Mirai via Windows (which Kaspersky discovered in February), due to several similarities in the indicators of compromise (IOCs).
"We believe at this point there are parallels with a group who has been building up the Mirai botnet and is now using EternalBlue to spread,” said Mounir Hadad, senior director of Cyphort Labs, via email. “We see the same C2 servers being used as the actors portrayed [by Kaspersky]. Given the previous uses of the Mirai botnet in mounting spectacular DDoS attacks, we can only speculate that the botnet is likely very large."