DoublePulsar

Pulsar Vulnerability
Technical name	Double Variant Trojan:Win32/DoublePulsar (Microsoft); Backdoor.DoublePulsar (Fortiguard); ; Dark Variant Trojan.Darkpulsar (Symantec); Win32/Equation.DarkPulsar (ESET); ;
Family	Pulsar (backdoor family)
Author(s)	Equation Group

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.^[3] The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,^[4]^[5]^[3]^[6]^[7] and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.^[8]^[9]^[10] A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec. ^[11]

Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.^[12]^[13] He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system.^[5] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.^[12]

References

^ https://www.symantec.com/security-center/writeup/2017-042107-1152-99
^ https://www.virusradar.com/en/Win32_Equation.DarkPulsar.A/description
^ ^a ^b "DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump". 25 April 2017.
^ Sterling, Bruce. "Double Pulsar NSA leaked hacks in the wild".
^ ^a ^b "Seriously, Beware the 'Shadow Brokers'". 4 May 2017 – via www.bloomberg.com.
^ "Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage".
^ ">10,000 Windows computers may be infected by advanced NSA backdoor".
^ Cameron, Dell. "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It".
^ Fox-Brewster, Thomas. "How One Simple Trick Just Put Out That Huge Ransomware Fire".
^ "Player 3 Has Entered the Game: Say Hello to 'WannaCry'". blog.talosintelligence.com. Retrieved 2017-05-15.
^ "Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak". arstechnica.com. Retrieved 2019-05-07.
^ ^a ^b "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". zerosum0x0.blogspot.com. Retrieved 2017-05-16.
^ "NSA's DoublePulsar Kernel Exploit In Use Internet-Wide". threatpost.com. Retrieved 2017-05-16.

This malware-related article is a stub. You can help Wikipedia by expanding it.

[1] ttps://www.symantec.com/security-center/writeup/2017-042107-1152-99

[2] ttps://www.virusradar.com/en/Win32_Equation.DarkPulsar.A/description

[scmagazine-3] "DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump". 25 April 2017.

[4] Sterling, Bruce. "Double Pulsar NSA leaked hacks in the wild".

[usbguy-5] "Seriously, Beware the 'Shadow Brokers'". 4 May 2017 – via www.bloomberg.com.

[6] "Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage".

[7] ">10,000 Windows computers may be infected by advanced NSA backdoor".

[8] Cameron, Dell. "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It".

[9] Fox-Brewster, Thomas. "How One Simple Trick Just Put Out That Huge Ransomware Fire".

[10] "Player 3 Has Entered the Game: Say Hello to 'WannaCry'". blog.talosintelligence.com. Retrieved 2017-05-15.

[11] "Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak". arstechnica.com. Retrieved 2019-05-07.

[techanalysis-12] "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". zerosum0x0.blogspot.com. Retrieved 2017-05-16.

[13] "NSA's DoublePulsar Kernel Exploit In Use Internet-Wide". threatpost.com. Retrieved 2017-05-16.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]