DoublePulsar is a stealthy kernel-mode backdoor implant developed by the NSA’s Equation Group, leaked by Shadow Brokers in 2017. Its installation communication involves a multi-stage process exploiting SMB protocol vulnerabilities (e.g., via EternalBlue), followed by covert command-and-control (C2) traffic masquerading as standard SMB errors.
Installation and Communication Mechanism
Initial Exploitation
The backdoor is installed through SMB exploits (e.g., EternalBlue leveraging CVE-2017-0143). After compromising the system, DoublePulsar injects kernel shellcode to establish persistence.
Post-Installation C2 Protocol
Once active, DoublePulsar communicates using custom SMB extensions.
Commands are hidden in standard SMB fields
Timeout field encodes commands (e.g., 0x23 = ping, 0xc8 = execute, 0x77 = kill). Multiplex ID in responses indicates status (e.g., incremented by 0x10 for success). Signature field contains an XOR key for payload encryption.
Stealthy Transaction Structure
Uses SMB_COM_TRANSACTION2 with the unimplemented subcommand TRANS2_SESSION_SETUP (0x000E). Infected hosts respond with STATUS_NOT_IMPLEMENTED but modify the Multiplex ID (e.g., 0x81 instead of 0x65).
Payload Delivery
For “execute” commands, payloads (e.g., malware) are encrypted with a dynamic XOR key derived from the SMB signature. Encrypted data is sent within SMB session parameters, bypassing signature-based detection.
Detection Indicators
Network Traffic
Look for SMB responses with Multiplex ID = 0x81 or unexpected STATUS_NOT_IMPLEMENTED to TRANS2_SESSION_SETUP requests.
Behavioral Signs
Null sub_command values in SMB traffic or anomalous Multiplex ID increments.
Mitigation
- Patch SMB vulnerabilities (e.g., MS17-010).
- Block anomalous SMB transactions (e.g., unexpected
SESSION_SETUPsubcommands). - Use tools like Nessus (plugin ID 99439) for active scanning.
DoublePulsar’s design evades detection by mimicking benign SMB errors, making it critical to monitor protocol anomalies rather than payload content.