search
    search
      10 Oct, 2017

      A new malspam campaign has been observed on October 6th 2017 spreading DoublePulsar via EternalBlue exploit, and Hidden Tear ransomware. Based on the delivery documents and ransom notes, the campaign looks to be targeting German speaking users.

      EternalBlue exploits a vulnerability in the way Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests giving the attacker an opportunity to execute code on the target server [1]. Microsoft has issued a patch for the vulnerability back in March 2017 but the exploit was used as part of the WannaCry ransomware attack in May 2017 and NotPetya attack in June 2017. DoublePulsar is a backdoor implant that was used alongside EternalBlue. Hidden Tear is an open source ransomware family. Malware authors have built different variants on top of its code base that vary from each other in different ways such as the payment methods, the encryption techniques and which files to consider for encryption [2].

      The delivery document (PRELIMINARY_KAPSCH_SECURITY_NIGHT_2017_WORD_DROPPER.doc) uses a macro to drop the malicious payload to the victim machine:

      delivery-doc.jpg

      Submitting the delivery document to RSA pre-release What's This File service shows the following malicious characteristics including the auto-launch script to download a payload from a domain over SSL: 

      hiddenteat-wtf-1.png

      hiddentear-wtf-2.png

      hiddentear-script-1.png

      The powershell script (launcher.ps1.txt) has the capability of mapping the victim network:

      hiddentear-script-2.png

      It can also download a zipped filed 'EB_LAUNCHER.zip' and extracts it on the victim machine:

      hiddentear-script-4.png

      The request to download 'EB_LAUNCHER.zip' was observed in NetWitness Packets:

      hiddentear-nw-session-1.png

      hiddentear-nw-files-1.png

      hiddentear-nw-investigate.png

      Finally, the script proceeds to deliver:

      hiddentear-script-5.png

      First, it tries to run a powershell script (Execute-EB-Launcher.ps1) to attempt to infect machines in the network that could be vulnerable to EternalBlue exploit and to implant DoublePulsar in case the attempt was successful:

      hiddentear-ps-info.png

      hiddentear-eb-launch.png

      In this scenario, no neighbor machines were compromised. The malicious powershell script (launcher.ps1.txt) finally downloads and launches a Hidden Tear variant:

      hiddentear-nw-session-2.png

      hiddentear-nw-files-2.png

      hiddentear-nw-investigate-2.png

      Upon execution, the malware encrypts the victim files and presents the following ransom note:

      hiddentear-note.png

      Post-infection traffic is over SSL:

      hiddentear-post-infection.png

      The payment websites were down at the time of this writing.

      Delivery documents (SHA256):

      • 8ad3c6df4a96b97279e50a39fe4c2662d8da7699c54cb2582a5c0ae7ae358334
      • 4592803dfdd47c4bfffad037695d3be4566c38ad46132e55c5679c7eb6f029da

      EB_LAUNCHER.zip (SHA256):

      • 22a3a1c609b678b5eed59b48eed47513996998ab99841773d5b0f316fc9e7528

      Hidden Tear ransomware (SHA256):

      • bf9d54c7b894065d6f3ac59da093241ee0c0c545a323c9d8ae8c8f8a9b14d591

      References:

      1. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144 
      2. Ransomware Recap: The Ongoing Development of Hidden Tear Variants - Security News - Trend Micro USA

      47874-wb-net-FirstWatch-banner-1792x98.png
      Topic:
      0 Comment
        CATEGORIES
        RECENT POST
        Amazon Cloudwatch Event Source Log Configuration Guide
        3 Dec, 2025
        F5 Source Code Breach: Hunting UNC5221's BRICKSTORM with NetWitness
        31 Oct, 2025
        MSAzureGraph Universal Plugin for Microsoft Graph API
        17 Oct, 2025