Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak

On April 14, 2017, The Shadow Brokers (TSB) leaked a bevy of hacking tools named “Lost in Translation.” This leak is notorious for having multiple zero-day remote code execution (RCE) vulnerabilities targeting critical protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP) and applications like collaboration and web server-based software. The exploit toolkit includes EternalBlue, EternalChampion, EternalSynergy, EsteemAudit, EchoWrecker, ExplodingCan, EpicHero, and EWorkFrenzy, among others.

The leak also contains multiple post-exploitation implants and utilities, used for maintaining persistence on the infected system, bypassing authentication, performing various malicious activities, and establishing command-and-control (C&C) channels with a remote server, among others. Five of the most notable implants include DoublePulsar, PeddleCheap, ExpandingPulley, KillSuit (KiSu), and DanderSpritz, which all have different capabilities, features, and usage.

Read more…
Source: Trend Micro