ExtraPulsar is a proof-of-concept backdoor Trojan that exploits a Windows network traffic-handling feature for handling its C&C communications. Although the threat is a mostly-theoretical program, its implementation is relatively simple, and its code is available for free. Users should protect themselves by monitoring their network traffic and drivers for any unusual changes and have anti-malware products equipped for removing ExtraPulsar infections.
The Pulse is Staying Strong
The Shadow Brokers-leaked DoublePulsar backdoor Trojan is getting a callback, but it's not so much a direct replacement, as it is an 'inspired by' project. The proof-of-concept or POC Trojan, ExtraPulsar, is under twenty lines of code that any Web surfer could download from GitHub. Despite that tiny size, it's also a backdoor Trojan that could let attackers control your computer.
ExtraPulsar is a Python-based Trojan that runs as an extra module for the Server Network Driver, which is a default Windows component that handles network traffic. It loads alongside any of the other drivers that the user's settings have on, such as srv2.sys or srv.sys (which, in modern environments, defaults to being off) without interfering with them. However, ExtraPulsar can 'listen' for SMB packets that contain identifying byte markers and isolate them for acting on commands from a C&C server.
Further possibilities from ExtraPulsar aren't yet weapons in the hands of the Black Hat community at large, but malware experts find most backdoor Trojans focused towards the collecting of passwords (or other, sensitive information) or dropping other threats, including spyware, file-locker Trojans, and rootkits. ExtraPulsar's interesting implementation, also, provides it with some default defenses, including kernel privileges and networking abilities without the corresponding network traffic or port-opening changes.
Preventing Your PC from Playing an Extra in ExtraPulsar Infections
Besides its advantages, ExtraPulsar's method of running includes at least one drawback: the fact that modern versions of Windows won't load an unrecognized kernel driver, by default. The most likely means of threat actors working around this limitation is by collecting a digital certificate belonging to a legitimate organization and authorizing a version of ExtraPulsar with it.
While malware experts recommend treating this Trojan as being as threatening as any other, high-level threat, most security solutions should identify it. Having anti-malware products delete ExtraPulsar on sight should be taken for granted as the best response to any infections.
The infamy of the Shadow Brokers is getting a lot of mileage, even on sites that don't deserve it, like random GitHub projects. ExtraPulsar is, for all its creativity, attempting to grab fame from more sophisticated threats with more programming talent behind them.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to ExtraPulsar may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.