The Shadow Brokers-Leaked Equation Group’s Hacking Tools: A Lab-Demo Analysis

According to the The Register’s article, last week we started assisting to the widespread exploitation of The Shadow Brokers’ leaked Windows exploits, compromising thousands of vulnerable hosts over the Internet.

This widespread exploitation prompted me to release this blog post that I have been mulling for a while.

As part of the Equation Group’s hacking tools stash, leaked last week by The Shadow Brokers group, this is the latest installment of several leaks featuring network devices vulnerabilities and exploits, Linux and Unix vulnerabilities, and exploits. This hacking tools leak belonging to the Equation Group includes particularly interesting Windows 0-day exploits, implant tools and backdoors used in the widespread exploitation (DoublePulsar), and other 1-day exploits.

This is my analysis and commentary of The Shadow Brokers’ latest leak.

First of all, for the people interested in playing with the tools, these are the two relevant repositories, on GitHub:

• https://github.com/x0rz/EQGRP_Lost_in_Translation
• https://github.com/fuzzbunch/fuzzbunch

These are repositories created with the original tools downloaded from https://yadi.sk/d/NJqzpqo_3GxZA4(Originally posted from  #ShadowBrokers)

If you look at the first GitHub repository, it is divided into three directories:

• windows: this contains Windows exploits, implants and payloads, including the fuzzbunch exploitation framework.
• swift: it contains operational notes from banking attacks on the SWIFT network.
• oddjob: it contains documents related to the ODDJOB backdoor and CNC creator.

First, I found it very interesting playing with fuzzbunch, which is the Equation Group’s exploitation framework, very similar to the Metasploit framework, but written in python instead of ruby.

I tried to set it up on my lab to play with. I first tried to deploy and execute it on a Kali box, but I realized right away that this was coded to be executed on a Windows 32 bit host. So I decided to launch it in an old Windows XP box, installed Python 2.6 on it and installed the required dependencies (pypiWin32), and then execute it with: python fb.py

After a number of system-related checks, the prompt asks for the default attack box IP and the related callback listener IP.

(Note: IP addresses and other potentially sensitive information in this image and our images in this post have been obfuscated)

Once the checks complete successfully, the terminal ends up on a prompt fb>.

The use of such a terminal is pretty much similar to the use of the Metasploit framework, including the command “use” plus the exploits or implant you would like to configure.

In the “windows” directory there is also an exploits directory that includes some of the most interesting exploits.

The following GitHub repository – https://github.com/misterch0c/shadowbroker – in its README file, describes in detail all the exploits included in the stash. The following is the list of the leaked exploits:

• EARLYSHOVEL RedHat 7.0 – 7.1 Sendmail 8.11.x exploit
• EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.
• ECHOWRECKER remote Samba 3.0.x Linux exploit.
• EASYBEE appears to be an MDaemon email server vulnerability
• EASYFUN EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient pre 9.5.6
• EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet
• EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2
• EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
• ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)
• EDUCATEDSCHOLAR is a SMB exploit (MS09-050)
• EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)
• EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2
• ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client’s side to send an email to other users
• EPICHERO 0-day exploit (RCE) for Avaya Call Server
• ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
• ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)
• ETERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)
• ETERNALCHAMPION is a SMBv1 exploit
• ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers
• ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
• ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)
• ETRE is an exploit for IMail 8.10 to 8.22
• ETCETERABLUE is an exploit for IMail 7.04 to 8.05
• FUZZBUNCH is an exploit framework, similar to MetaSploit
• ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors
• EXPIREDPAYCHECK IIS6 exploit
• EAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release
• EASYFUN WordClient / IIS6.0 exploit
• ESSAYKEYNOTE
• EVADEFRED

This list includes Windows SMB exploits including the previously undisclosed SMB 0-day labelled “ETERNALBLUE”, which was addressed by Microsoft with the March 2017 patch labelled “MS17-010”.

The combination of ETERNALBLUE exploit and the implant DoublePulsar are currently being used in the wild to compromise Windows host open on the Internet. As always, close your SMB 445 TCP port at the firewall.

The CNC and implant framework “ODDJOB” is also included in the leak under its own directory.

Other resources are worth the mention in terms of the released exploit analysis:

1. A Google doc analyzing each exploit platform. This is a nice outlook of each exploit with the corresponding OS and service affected.
2. A quick analysis of the latest Shadow Brokers dump https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/
3. Equation Group Dump Analysis and Full RCE on Win7 on MS17-010 with Cobalt Strike – https://www.trustedsec.com/blog/equation-group-dump-analysis-full-rce-win7-fully-patched-cobalt-strike/ – this is the description of Eternalblue exploitation then injecting the Cobalt Strike beacon implant using DoublePulsar implant stager payload.
4. Windows exploits dump by The Shadow Brokers – What you need to know/do https://blog.comsecglobal.com/2017/04/windows-exploits-shadowbrokers.html

The following is my report on using the ETERNALBLUE MS17-010 SMB exploit on WinXP with a Windows 7 target.

After selecting the exploit to be used with “use Eternalblue”, selecting the target – Win7 / Win2k3 – and selecting the fuzzbunch native stager to be installed, the buffer corruption is triggered and then the implant stager is successfully installed.

After the prompt returns, we invoke the implant installation with “use DoublePulsar” command. DoublePulsar simply allows to ping the installed stager, execute shellcode or upload and execute a custom dll. You can also uninstall the installed implant. In this screenshot, we simply ping the backdoor. You can also install and execute custom DLL implants such as with pupy or Powershell Empire.

DoublePulsar also uses a novel approach to load and execute custom DLL – not reflectively like in many other tools, including Metasploit. Here are some of the blog posts that analyze those techniques:

• ANALYZING THE DOUBLEPULSAR KERNEL DLL INJECTION TECHNIQUE
• DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis

Another implant and Listening Post present in the hacking tools leak is called “Dander Spiritz”. Using ETERNALBLUE and DoublePulsar you can upload and execute an implant created with “DanderSpiritz”. Dander Spiritz also has a listening post you can launch with “python start_lp.py” in the windows directory. This invokes a “Start.jar” file and requires Java to be installed. Once the implant is executed, it connects back to the Listening Post and it can execute other commands on the implanted OS.

This is the full blog post reporting the use and installation of Dander Spiritz implant and listening post – https://hackernoon.com/a-quick-look-at-the-nsa-exploits-dander-spiritz-trojan-1b5428b0ee65

It was also interesting seeing how using the ETERNALBLUE exploit and DoublePulsar implant, you can install a meterpreter implant created with msf venom.

https://www.pwn3d.org/

The community started releasing IDS rules to detect the exploitation attacks described here: YARA IDS rules 

Metasploit and other tools have been released to detect systems that have been exploited and implanted with DoublePulsar implants.

• Microsoft Windows MS17-010 SMB Remote Code Execution – this MSF auxiliary module is to detect the SMB vulnerabilities used by the exploit ETERNALBLUE.
• This tool is used to detect whether the host is already been implanted with DoublePulsar: https://github.com/countercept/doublepulsar-detection-script

The other parts of the leak dump are for a directory named “swift” of references and SQL commands to exploit the SWIFT network. The folder holds SWIFT data that contains SQL scripts that search for SWIFT-specific data inside databases, and text and Excel files hinting the Equation Group had hacked and gained access to several banks across the world, including not only Middle Eastern countries such as Palestine, UAE, Kuwait, Qatar, and Yemen, but also allegedly European Union-based banks.

This folder is by far the most interesting of the three, as it alludes that the Equation Group (NSA) had been infiltrating banks, and secretly keeping an eye on SWIFT transactions. The files included in the dump indicate the Equation Group had targeted and successfully infiltrated the SWIFT Service Bureau of the Middle East (EastNets), one of the several SWIFT departments managing and monitoring SWIFT transactions across Middle Eastern banks.”

The other directory of the dump is “oddjob,” named after a listening post and implant that can be configured via a browser using an “hta” file and targets Windows operating systems.

ODDJOB appears to be both a specially crafted Command and Control (C&C) system as well as an implant for the Microsoft Windows operating system. The implant can remotely collect information from targeted systems by instructing systems to “beacon” out to “Listening Posts” (C&C servers).

ODDJOB disguises its implants and its network traffic as legitimate Windows updates. It transfers data outbound by making requests to what looks like legitimate Windows Update “cab” files. This way of communication (transport) makes the implant particularly stealthy because it communicates via cab file transfers and a protocol used by Microsoft for its Windows update service.

Security researchers are currently working on identifying ways to detect ODDJOB implants via network detection and endpoint security solutions.

In terms of recommendations, It is important to note the following:

• These vulnerabilities still exist in unsupported Operating Systems such as Windows Server 2003 which will not receive patches.
• Some of the most critical vulnerabilities were only fixed in the March 2017 “Patch Tuesday” release.

As such, organizations running older Windows Operating Systems or those that have not applied the latest patches to their newer Windows Operating Systems may still be at risk from these vulnerabilities.

We would therefore recommend that organizations take the following immediate actions:

• Scan for Windows machines where port 445 is externally exposed to incoming traffic from the Internet and block this at the firewall.
• Where servers were found with this port open, review server logs to look for evidence of malicious activity.
• Prepare a plan to patch all Windows machines with the key patch (MS17-010) and any of the other patches from the Microsoft blog-post above which have not yet been applied.
• Prepare a mitigation plan for any Windows machines which are unsupported or cannot be patched in a timely fashion.
• Review the list of exploits to look for non-Windows exploits which may directly affect you.

We would also recommend the following, mid to long term actions:

• Ensure that you have a robust Vulnerability and Patch Management process in place to allow timely application of updates. To note that NopSec Unified VRM already detects the MS17-010 missing patch and related SMB vulnerability.
• Run a DoublePulsar implant detection scanner like the one mentioned above to make sure that your network is not already infected.
• Ensure all non-vital ports are inaccessible externally across the technology environment.
• Prepare a plan to upgrade unsupported OSes as soon as possible.

(Note: Post Peer-Reviewed by Shawn Evans, Ethical Hacker and Head of Security Engineering, NopSec)