Hacking operations with DarkPulsar and other tools developed by the NSA

Share this…

Attackers target critical servers using three of the NSA-developed hacking tools, including DarkPulsar, which were leaked by the Shadow Brokers hacking group

According to reports of experts in digital forensics, various groups of hackers take advantage of DarkPulsar, DanderSpritz and Fuzzbunch, hacking tools developed by the National Security Agency (NSA), to infect the Windows Server 2003 and 2008 systems in several organizations in Russia, Iran and Egypt. Hackers have used these powerful cyber weapons to compromise the systems used in the aerospace, nuclear energy, research and development industries, among others. It is believed that around 50 organizations in the aforementioned industries have been compromised.

“DanderSpritz consists entirely of plugins to collect intelligence, exploits and examine machines already controlled. It is written in Java and provides a graphical Windows interface similar to the botnets management panels, as well as a Metasploit-type console interface. It also includes its own backdoors and accessories for victims not controlled by FuzzBunch”, Andrey Dolgushev, Dmitry Tarakanov and Vasily Berdnikov, experts in digital forensics, reported.

“On the other hand, Fuzzbunch provides a framework for different utilities to interact and work together. It contains several types of plugins designed to analyze victims, exploit vulnerabilities, schedule tasks, among other features”.

DarkPulsar is a backdoor that could use malicious agents along with the Fuzzbunch operating kit to gain remote access to the compromised server. Once the backdoor is established, attackers could use DanderSpritz plugins to monitor and extract data from the compromised machines, as reported by experts in digital forensics from the International Institute of Cyber Security.

Each hacking tool supports a set of plugins designed for different tasks, FuzzBunch plugins are used for recognition and hacking of the attacked system, DanderSpritz plugins are used for operation with resources of infected victims.

The discovery of the latest wave of attacks with these tools is really important for the cybersecurity industry, as it demonstrates that malicious actors could chain hacking tools developed by nation-states and exploit them to create a powerful attack package. This campaign shows how hackers combined these tools to perform highly sophisticated hacking operations.

“The discovery of the DarkPulsar backdoor helped to understand its role as a bridge between the two leaked work frames, and how they integrate into the same attack platform designed for a long-term compromise, based on the advanced capabilities of DarkPulsar for persistence and stealth”, the experts mentioned. “The implementation of these features, such as encapsulating legitimate protocol traffic and avoiding credential entry to pass authentication, is highly professional”.

Experts also provided technical details and commitment indicators for attacks by leveraging the NSA tools. It is important to note that security patches are available for the vulnerabilities targeted by the NSA’s leaked exploits.

“FuzzBunch and DanderSpritz are designed to be flexible and to extend their functionality and compatibility with other tools”, conclude the experts.