Kaspersky Lab reports today that it has discovered computers infected with DarkPulsar. This is malware that is rumoured to have been developed by the American National Security Agency (NSA). Networks in Egypt, Iran and Russia would have to deal with the malware.

That’s what researchers at Kaspersky Lab are making a statement today. We have seen about 50 victims, but believe that the real number is much higher, according to the researchers. All victims found are in Egypt, Iran or Russia. Most of the servers involved are running Windows 2003/2008 Server. Objectives were related to nuclear energy, telecommunications, IT, space and R&D.

Shadow Brokers

Kaspersky researchers were able to analyze DarkPulsar because it is one of the many hacking tools whose code appeared online in the spring of 2017. The tools were leaked by a group of hackers who call themselves the Shadow Brokers. They claimed to have stolen the data from the Equation Group. That’s another code name for a group that the cybersecurity industry thinks is the NSA.

DarkPulsar received little or no attention for more than eighteen months, partly because it was leaked at the same time as EternalBlue. This is an exploit that underlies last year’s three largest ransomware leaks: WannaCry, NotPetya and Bad Rabbit. The industry was therefore mainly focused on this.

FuzzBunch, DanderSpritz and DarkPulsar

In recent months the researchers of Kaspersky Lab have also looked at the other leaks that are part of Shadow Brokers. The researchers discovered FuzzBunch – which can exploit systems – and DanderSpritz, which works as a GUI application to manage hacked computers.

DarkPulsar turned out to be a FuzzBunch implant and is often used in combination with DanderSpritz. We analysed the tool and understood that it is not the back door itself, but only the administrative part, according to the researchers. For example, they discovered that certain parts of DarkPulsar’s code were likely to be used for malware.

That turned out to be true, because by searching for that code, Kaspersky’s antivirus scanners discovered infections with DarkPulsar on fifty computers. One of the main functions of the malware is that it is used as a backdoor for infected computers. The malware would most likely have been on more than fifty devices. This is because it has a special function that allows it to be removed. So the fifty victims were probably the few devices that the attackers had forgotten.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.