DoublePulsar

{{Short description|Backdoor implant tool}}

{{For|the only known double pulsar star system|PSR J0737-3039}}

{{Infobox computer virus

| fullname = Pulsar Vulnerability

| image =

| caption =

| common_name =

| technical_name =

• Double Variant
• Trojan:Win32/DoublePulsar (Microsoft)
• Backdoor.DoublePulsar (Fortiguard)
• Dark Variant
• Trojan.Darkpulsar (Symantec){{cite web |title=Trojan.Darkpulsar |url=https://www.symantec.com/security-center/writeup/2017-042107-1152-99 |website=Symantec |archive-url=https://web.archive.org/web/20191003212706/https://www.symantec.com/security-center/writeup/2017-042107-1152-99 |archive-date=3 October 2019 |language=en}}
• Win32/Equation.DarkPulsar (ESET){{cite web |title=Win32/Equation.DarkPulsar.A {{!}} ESET Virusradar |url=https://www.virusradar.com/en/Win32_Equation.DarkPulsar.A/description |website=www.virusradar.com}}

| aliases =

| family = Pulsar (backdoor family)

| classification =

| type =

| subtype =

| isolation_date =

| origin =

| infection_vector =

| author = Equation Group

| ports_used =

| OS =

| filesize =

| language =

}}

File:Doublepulsarbackdoor.png

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.{{Citation needed|reason=Concrete evidence linking Equation Group and the NSA not found|date=October 2023}} The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,{{cite magazine|url=https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/|title=Double Pulsar NSA leaked hacks in the wild|first=Bruce|last=Sterling|magazine=Wired }}{{cite news|url=https://www.bloomberg.com/news/articles/2017-05-04/seriously-beware-the-shadow-brokers|title=Seriously, Beware the 'Shadow Brokers'|newspaper=Bloomberg |date=4 May 2017|via=www.bloomberg.com}}{{cite web|url=https://www.scmagazine.com/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/article/652518/|title=DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump|date=25 April 2017}}{{cite web|url=https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/|title=Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage}}{{cite web|url=https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/|title=>10,000 Windows computers may be infected by advanced NSA backdoor|date=21 April 2017 }} and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.{{cite web|url=https://www.gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/|title=Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It|first=Dell|last=Cameron|date=13 May 2017 }}{{cite web|url=https://www.forbes.com/sites/thomasbrewster/2017/05/13/wannacry-ransomware-outbreak-stopped-by-researcher/#38e56ad374fc|title=How One Simple Trick Just Put Out That Huge Ransomware Fire|first=Thomas|last=Fox-Brewster|website=Forbes }}{{cite web|url=http://blog.talosintelligence.com/2017/05/wannacry.html|title=Player 3 Has Entered the Game: Say Hello to 'WannaCry'|website=blog.talosintelligence.com|date=12 May 2017 |access-date=2017-05-15}} A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.{{cite web|url=https://arstechnica.com/information-technology/2019/05/stolen-nsa-hacking-tools-were-used-in-the-wild-14-months-before-shadow-brokers-leak/|title=Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak|website=arstechnica.com|date=7 May 2019 |access-date=2019-05-07}}

Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.{{cite web|url=https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html|title=DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis|website=zerosum0x0.blogspot.com|date=21 April 2017 |access-date=2017-05-16}}{{cite web|url=https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/|title=NSA's DoublePulsar Kernel Exploit In Use Internet-Wide|website=threatpost.com|date=24 April 2017 |access-date=2017-05-16}} He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system. Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.