Security News Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
The only reason this malware is on a rampage because there are computers that are not patched for MS-17-010 even after the patch was released
Yeah, when WCRY infects a computer of a local network, it tries to spread to other computers on the network using the SMB shares and by exploiting the vulnerability already mentioned. So if a company is infected with a single Windows computer, there is the risk of infecting all the other Windows computers that are not updated on the same local network.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Looks like the malware drops the DoublePulsar backdoor, there is an nmap script for scanning you networks for any instances: smb-double-pulsar-backdoor NSE Script
It seems that the execution flow is divided in two groups of threads: one to infect the host on the LAN, the other to infect the host on the Internet network. The first one analyses the range of IP belonging to the local network, by running the exploit Eternal Blue on all the hosts with port 445 open, the second one generates a random IP using the generator that was previously initialized and attempts to attack the 445 port to that IP. If the attack is successful, it scans the whole subnet of class C (with prefix-length of 24 bits, thus identifying any IP to adjacent, presumably belonging to the same organisation and therefore presumably vulnerable) relative to the IP that is infected, attempting to carry out new attacks.

For any attempt of attack, the malware tries to detect the presence of DoublePulsar backdoor, used where possible to infect the system in a persistent way.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top