DoublePulsar Backdoor Malware

DoublePulsar: Stealthy Windows Backdoor Deployed via SMB Exploits

DoublePulsar is a Windows backdoor implant that enables attackers to execute arbitrary code on infected machines. It became publicly known in 2017 after leaked NSA-linked hacking tools revealed its use alongside the EternalBlue exploit, which targeted vulnerabilities in Microsoft’s SMB protocol. DoublePulsar was later used to deploy major malware campaigns, including WannaCry ransomware.

Introduction to DoublePulsar

DoublePulsar functions as a post-exploitation backdoor, meaning it is installed only after an attacker successfully exploits a vulnerability—most commonly via EternalBlue. Once implanted, it allows remote code execution, file injection, and additional malware deployment without obvious signs of compromise. Its stealthy design and memory-resident behavior made it difficult to detect in early campaigns.

---

1. How DoublePulsar Works

Infection Mechanism:
DoublePulsar is not typically delivered directly. Instead, it is installed after:

• Exploitation of the SMBv1 vulnerability (MS17-010) via EternalBlue
• Remote exploitation of unpatched Windows systems
• Lateral movement within networks after initial compromise

Payload Execution:
Once deployed, DoublePulsar:

• Injects itself into the Windows kernel (ring 0)
• Listens for specially crafted SMB packets
• Executes arbitrary code supplied by the attacker
• Acts as a delivery mechanism for ransomware, cryptominers, or other malware
• Leaves minimal disk artifacts, often residing in memory

---

2. History and Notable Campaigns

Origin and Discovery:
DoublePulsar was exposed in April 2017 after the Shadow Brokers group leaked alleged NSA-developed cyber tools. It was designed to work with EternalBlue and EternalRomance exploits targeting Windows SMB services.

Notable Campaigns:

• Used in the global WannaCry ransomware outbreak in May 2017
• Deployed in network worm campaigns exploiting unpatched Windows machines
• Observed in targeted espionage operations before public disclosure
• Rapidly adopted by cybercriminal groups after the leak

---

3. Targets and Impact

Targeted Victims and Sectors:

• Windows systems running unpatched SMBv1 services
• Enterprises, hospitals, government networks, and small businesses
• Any device exposed to SMB over the internet or internally within vulnerable networks

Consequences:

• Remote code execution without user interaction
• Rapid lateral movement across networks
• Delivery of ransomware (e.g., WannaCry)
• Full system compromise at kernel level
• Potential data theft or sabotage

---

4. Technical Details

Payload Capabilities:

• Kernel-level backdoor implant
• Supports:
  • Remote code execution
  • DLL injection
  • Memory-only payload deployment
• Communicates via specially crafted SMB requests
• Does not create typical persistent files on disk

Evasion Techniques:

• Memory-resident behavior reduces forensic footprint
• Custom SMB packet responses mask its presence
• Kernel-level implantation avoids many user-space detection tools
• Designed to operate silently unless triggered

---

5. Preventing DoublePulsar Infections

Best Practices:

• Patch Windows systems against MS17-010 immediately
• Disable SMBv1 protocol where not required
• Block inbound SMB traffic at network perimeters
• Segment internal networks to limit lateral movement
• Maintain updated endpoint protection and intrusion detection systems

Recommended Security Tools:

• Antivirus/EDR capable of detecting kernel anomalies
• Network intrusion detection systems (NIDS) monitoring SMB traffic
• Vulnerability scanners to identify exposed SMB services
• Microsoft Defender with exploit mitigation enabled

---

6. Detecting and Removing DoublePulsar

Indicators of Compromise (IoCs):

• Unusual SMB traffic patterns or malformed SMB responses
• Systems missing MS17-010 patch
• Kernel memory anomalies detected by security tools
• Presence of secondary malware deployed shortly after SMB exploitation

Removal Steps:

1. Patch the SMB vulnerability (MS17-010) immediately
2. Use specialized detection tools designed to identify DoublePulsar implants
3. Remove any secondary payloads delivered by the backdoor
4. Reboot systems and validate kernel integrity
5. Consider reimaging systems for full assurance

Professional Help:
Due to its kernel-level operation, organizations should engage incident response teams to confirm removal and assess lateral movement.

---

7. Response to a DoublePulsar Infection

Immediate Steps:

• Disconnect affected systems from the network
• Patch all vulnerable machines
• Conduct full network scans for SMB exposure
• Identify and remove any secondary malware (e.g., ransomware)
• Review logs for signs of lateral spread

---

8. Legal and Ethical Implications

Legal Considerations:
The leak of DoublePulsar tools raised international debate about the stockpiling of cyberweapons by intelligence agencies. Victims of exploitation may face breach notification requirements if sensitive data was accessed.

Ethical Considerations:
DoublePulsar highlights the risks of offensive cyber tools being leaked and repurposed by criminals. What was once a state-developed tool became a widespread criminal weapon after public exposure.

---

9. Resources and References

• Microsoft Security Advisory MS17-010
• Shadow Brokers leak analysis reports
• WannaCry outbreak investigations
• MITRE ATT&CK Techniques:
  • T1068 (Exploitation for Privilege Escalation)
  • T1210 (Exploitation of Remote Services)
  • T1105 (Ingress Tool Transfer)
  • T1055 (Process Injection)

---

10. FAQs about DoublePulsar

Q: What is DoublePulsar?
A Windows kernel-level backdoor installed after exploiting SMB vulnerabilities.

Q: How does it infect systems?
Through exploitation of the MS17-010 SMB flaw, typically using EternalBlue.

Q: Is DoublePulsar still active?
While the original campaigns were in 2017, unpatched systems can still be targeted by similar tools.

Q: How can it be removed?
By patching vulnerabilities, scanning with specialized tools, and removing any secondary payloads.

---

11. Conclusion

DoublePulsar became one of the most infamous backdoors after the 2017 cyberweapon leaks, enabling devastating ransomware outbreaks and widespread exploitation. Its memory-resident, kernel-level design demonstrated how dangerous post-exploitation implants can be—especially when combined with network worm capabilities. Keeping systems patched and limiting SMB exposure remains the most effective defense.

 

 

« Back to the Virus Information Library

« Back to the Security Center