DoublePulsar exploitation

An infosec researcher who uses the online pseudonym of Capt. Meelo has modified an NSA hacking tool known as DoublePulsar to work on the Windows IoT operating system (formerly known as Windows Embedded).

The original DoublePulsar is a hacking tool that was developed by the US National Security Agency (NSA), and was stolen and then leaked online by a hacking group known as The Shadow Brokers.

At its core, DoublePulsar is a Ring-0 kernel mode payload that acts like a backdoor into compromised systems. DoublePulsar is not meant to be used on its own, but together with other NSA tools.

NSA operators are supposed to use the FuzzBunch framework (also leaked by The Shadow Brokers) together with an exploit package (such as EternalBlue, EternalSynergy, EternalRomance, or others) to gain a temporary foothold on a system and then drop DoublePulsar implant to obtain a permanent one.

An in-depth analysis of the original DoublePulsar exploit, as leaked by The Shadow Brokers last year, is available here, authored by RiskSense security researcher Sean Dillon.

DoublePulsar infected hundreds of thousands of PCs last year

When it was released last year in April, the exploit worked on all major Windows versions, except the latest Windows 10 version.

Malware authors began testing the efficiency of the FuzzBunch-EternalBlue-DoublePulsar exploit chain right away. Bleeping Computer reported last year that over 36,000 computers were infected with DoublePulsar during these test runs, but that number grew to over 425,000 in less than a week.

Computers are still being infected even to this day with DoublePulsar, albeit not in the same numbers.

Because DoublePulsar is frequently detected by antivirus software, malware authors generally use EternalBlue only, and then deploy a custom backdoor instead of DoublePulsar.

One simple edit and DoublePulsar works on Windows IoT

But with what amounts to a simple edit of the DoublePulsar Metasploit module, Capt. Meelo has ported this hacking tool so it can now be used to take over systems running versions of the Windows IoT Core OS as well.

Systems that usually run Windows IoT Core are smart Internet-of-Things devices, point of sale (PoS) kiosks, or ATMs.

The only way to protect against having these devices corraled into a botnet via DoublePulsar is to apply the security updates included in MS17-010, the security bulletin that contains patches against the hacking tools and exploits leaked online by The Shadow Brokers last year, including DoublePulsar.

Correction: One of the Bleeping Computer readers has told us that researchers from FractureLabs first ported DoublePulsar to work on Windows Embedded systems last year.

Related Articles:

Mirai IoT Malware Uses Aboriginal Linux to Target Multiple Platforms

Malware Disguised as Job Offers Distributed on Freelance Sites

0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

Mirai, Gafgyt IoT Botnets Reach To the Enterprise Sector

Windows Systems Vulnerable to FragmentSmack, 90s-Like DoS Bug