In 2017, The Shadow Brokers, an unknown group of hackers stolen zero-day exploits, malware, and hacking tools from the Equation Group, one of the most sophisticated cyber attack groups in the world and a unit of the National Security Agency (NSA).
Prior this incidents, Chinese based Buckeye group also known as aka APT3, had gained access to those tools and used it for a variety of attacks to gain persistent access to the various targeted organizations.
Buckeye group had been active since 2009 and commit various cyber attacks on the targets mainly an organization based in the United States, and also this group exploited various Zero-day vulnerabilities in 2014 that has been used it as a part of the attack campaign.
In March 2016, the Buckeye group using one of the well-known variant called DoublePulsar, One of the sophisticated NSA backdoor that is leaked by the Shadow Brokers in 2017, at the same time, it used the custom exploit tool (Trojan.Bemstour) to reach the targeted victims.
Bemstour exploits two Windows Zero-day vulnerabilities (CVE-2019-0703),(CVE-2017-0143) )in order to achieve remote kernel code execution on targeted computers and later moments these zero-day was used by two NSA Owned exploit tools—EternalRomance and EternalSynergy.
Bemstour Exploit Tools From Buckeye
Based on the evidence that discovered by Symantec researchers, Buckeye group used the stolen NSA hacking tools against a target that resides in Hong Kong where attackers deliver the malware named as “Buckeye” via Bemstour Exploit tools.
Bemstour exploits two Windows Zero-day vulnerabilities (CVE-2019-0703)
(CVE-2017-0143) )in order to achieve remote kernel code execution on targeted computers and later moments these zero-day was used by two NSA Owned exploit tools—EternalRomance and EternalSynergy.
According to Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “
“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”
In September 2016, Bemstour exploit tool was rolled out with significant improvement that can exploit both 32-bit and 64-bit system and it was targeted to attack educational institution in Hong Kong.
How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown.
The researchers believe that there are multiple possibilities as to how Buckeye obtained Equation Group tools .
- Buckeye may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack.
- Buckeye obtaining the tools by gaining access to an unsecured or poorly secured Equation Group server, or that a rogue Equation group member or associate leaked the tools to Buckey
You can also Download Free E-book to learn about complete Enterprise Security Implementation & Mitigation Steps – Download Free-Ebook Here.
Indicators of Compromise