DarkPulsar Implant role in FuzzBunch and DanderSpritz frameworks

Dmitry Tarakanov , Senior Security Researcher , Kaspersky

Alexey Shulmin , Lead Malware Analyst , Kaspersky

In March 2017 group of hackers ShadowBrokers released an archive with exploitation frameworks for cyber-espionage FuzzBunch and DanderSpritz which turned out to be a toolset of Equation Group APT actor.

One of the basic implant of the FuzzBunch framework is DarkPulsar which is passive backdoor in the form of dynamic link library loaded as Telephony Service Provider at system startup. Attackers took advantage of loading this backdoor as Telephony Service Provider in the system lsass.exe process so it has functionality to disable with the use of tricky hooks on system libraries functions also working inside lsass.exe, for example, NTLM authentication mechanism of the system allowing operators interact with infected machines by standard SMB protocol without knowing correct user login and password.

Since FuzzBunch and DanderSpritz frameworks are quite comprehensive systems and include a lot of other implants and plugins for reconnaissance purposes there should be an orchestrator component that allow run various programs on infected machine extending operator’s capabilities. DarkPulsar has turned out to be a tool carrying out exactly such tasks.

Leaked archive includes DarkPulsar administrative tool only without samples of backdoor itself. But this tool has revealed signatures that have to be present in samples running on victims’ side as well. It allowed us to obtain samples of this implant that were pushed to victims. Using on of found programs for infecting test machine and rolling out FuzzBunch and DanderSpritz frameworks we have been able to connect these controlling systems to the backdoor and to interact with it. We have completely figured out how DarkPulsar works and what frameworks components can be activated with the use of it. Despite the fact that FuzzBunch and DanderSpritz frameworks are different and use own tools and plugins, DarkPulsar is such link that ties these independent platforms with each other.

In our presentation we will disclose most interesting internal workings of DarkPulsar implant, for example, how the backdoor allows bypassing NTLM authentication, and demonstrate how to interact with infected machine where this backdoor is running via FuzzBunch and DanderSpritz frameworks.

Dmitry Tarakanov

Started from Virus Analyst position at Kaspersky Lab in 2009 Dmitry has grown up to solid security researcher specializing in combating and understanding targeted attacks. Working for several years in Global Research and Analysis Team he was researching APT campaigns, discovering new ones and tracking APT groups and their tools. Nowadays he is mostly focusing on malware detection used in APT attacks and improving Kaspersky Lab perimeter security solution.

Alexey Shulmin

I graduated from D. Mendeleyev University of Chemical Technology of Russia (cybernetic dept.), where I got Bachelor degree and later MA-equivalent degree.
Then I was a postraduee at Bauman Moscow State Technical University, where I got a PhD Degree in computer science (Infosecurity).
Later I was a lecturer at the University for 5 years, I taught courses “Operating Systems”, “Programming in C++”, “Low-level programming” and others.
I joined the Kaspersky lab in 2013 as s Malware Analyst in the Anti-Botnet group.
I was responsible for analysis bots functionality and their communication protocols.
In 2016 I became a lead of the new-formed Targeted Attacks Research team and now our main aims are to provide strong detects for all known APTs and to provide expert supporting for our Anti-APT product.