Since EternalBlue was first published, has anyone else used it? Or only the creators of WannaCry? Before we answer that question, let’s take a look at the history of the vulnerability that gave way to the EternalBlue exploit.

October 25, 2001: Microsoft launches the Windows XP operating system, one of the company’s biggest successes. It contains, without anyone knowing it, a critical vulnerability that is later passed down to all future versions of the operating system.

March 14, 2017: Microsoft publishes an update that addresses this vulnerability (MS17-010)

April 14, 2017: The Shadow Brokers group publishes the EternalBlue exploit, part of the NSA’s cyber-arsenal to take advantage of the vulnerability.

May 12, 2017: WannaCry appears, a network worm that uses the EternalBlue attack to propagate and runs ransomware on compromised machines.

WannaCry is getting all the attention, but it’s not first attack to use the EternalBlue exploit, and probably won’t be the last. In fact, at PandaLabs, we have recently observed a new attack that uses the exploit for completely different purposes. After conducting a thorough analysis, we have obtained evidence that at least one group of cybercriminals has been exploiting this vulnerability since April 24, 2017, weeks before the appearance of WannaCry.

Attackers have used the security gap to sneak into other people’s computers, but instead of installing malware, they used different tactics.

After successfully launching the exploit through the SMB protocol, attackers used kernel code to inject themselves into the “lsass.exe” process, which is always present on Windows systems. Unlike the WannaCry attack, which directly injected malware into the process, here they use it in a completely different way:

Through this process, the attackers set into motion a wide range of commands to guarantee persistence. Most of the actions are carried out with Windows’ own utilities or non-malicious tools, averting detection by traditional antiviruses.

They are then able to, for example, create a new user, download components of the tools they’ll be using, kill older versions of tools that had previously been installed, go into autorun to gain persistence, schedule tasks…

Application behavior analysis tool from Panda Adaptive Defense.

We were also able to verify an evolution in the actions carried out by the group. For example, after gaining control, the group closed port 445 to prevent other “actors” from benefiting from the MS17-010 vulnerability.

Paradoxically, the attackers unwittingly helped out their victims, as this step made it impossible for additional computers to be infected with WannaCry.

One of the goals of the attack was to install cryptocurrency mining software. The currency used was “Monero”, which shares some attributes with the better-known Bitcoin.

Finally, we see how it is installed as a service and launches the mining program:

It’s worth noting that Adaptive Defense, among many other technologies, is equipped with generic detection for BitcoinMiners by behavior.