Hackers are expanding the use of EternalBlue, the leaked NSA hacking exploit that was thrust into the spotlight in May with its initial use in the WannaCry ransomware and Adylkuzz cryptocurrencyminer.
Security researchers have now found threat actors exploiting the vulnerability in Microsoft Server Message Block (SMB) protocol to distribute other malicious payloads including Backdoor.Nitol and Trojan Gh0st RAT.
Backdoor.Nitol is a Trojan horse that opens a backdoor on the infected computer. Gh0st RAT is a remote access trojan that has been making the rounds for years to target Windows machines and is capable of giving attackers full access and control of an infected machine. It is has also been used in extensive cyber espionage and data stealing campaigns.
According to security firm FireEye, both the well-known payloads have been previously used in cyberattacks targeting the aerospace and defence industry with Gh0st RAT targeting government agencies and activists as well.
"We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine," FireEye researchers said in blogpost. "The initial exploit technique used at the SMB level is similar to what we have been seen in WannaCry campaigns.
"However, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server."
Researchers said the combination of EternalBlue and VBScript has been used to distribute Gh0st RAT in Singapore and Backdoor.Nitol in the South Asia region.
EternalBlue came as part of the cache of alleged NSA hacking tools released by notorious hacking group Shadow Brokers in April.
Security researchers warned that with EternalBlue exploit now released and available for any threat actors to target, it is likely that it will be used in new sophisticated and more frequent cyberattacks.
"The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities," FireEye said. "In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads.
"It is critical that Microsoft Windows users patch their machines and update to the latest software versions as soon as possible."