The Indexsinas SMB worm is again targeting vulnerable industries to launch self-propagating attacks, Guardicore Lab researchers warned.
Indexsinas, aka NSABuffMiner, which has been around since 2019, uses the old Equation Group weapons suite, which includes the NSA-developed EternalBlue and DoublePulsar backdoors and the DoublePulsar backdoor. It relies heavily on later movement to infect all machines on the network.
“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar and EternalRomance,” according to a Guardicore Labs analysis published Wednesday. “These exploits are used to breach new victim machines, obtain privileged access and install backdoors.”
The exploits developed by the US National Security Agency (NSA) and most notably used in the Wannacry and NotPetya attacks in 2017 are still active four years after their appearance, researchers said, presenting serious threats to the 1.2 million internet-facing SMB servers out there today.
“There are more than 1 million SMB servers accessible to anyone on the internet, and many of them still vulnerable to MS-17010; this is exactly what makes Indexsinas and similar attack campaigns profitable.”
Indexsinas has been using a massive infrastructure that’s made up of over 1,300 devices mainly in India, the U.S., and Vietnam to carry out attacks since 2019. There have been around 2,000 attacks in Guardicore’s telemetry to date.
It is difficult to pierce the veil of attacks to discover the identities of the individuals behind Indexsinas:
“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched and exposes no redundant ports to the internet. The attackers use a private mining pool for their cryptomining operations, which prevents anyone from accessing their wallets’ statistics.”
The attack begins after a machine is breached using the tools of the NSA:
“These exploits run code in the victim’s kernel and are capable of injecting payloads to user-mode processes using asynchronous procedure calls (APCs),” researchers noted. “Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe. The injected payloads – EternalBlue.dll for 32-bit and DoublePulsar.dll for 64-bit – download three executable files from the main C2 server.”
The attack chain involves many batch scripts, such as payloads, downloaders, services, and scheduled tasks. It is also very competitive, as it can kill other attack groups’ processes.
To evade detection, this malware tries to kill various processes related to monitoring and analysis. It also tries to run silently by hiding its traces.
Researchers advise organizations to patch their SMB servers. The next step is identifying vulnerable entry points. In addition, implementing network segmentation and environmental visibility can help minimize the risk of becoming a victim of these attacks, researchers said.