ExtraPulsar
ExtraPulsar is a proof-of-concept backdoor Trojan that exploits a Windows network traffic-handling feature for handling its C&C communications. Although the threat is a mostly-theoretical program, its implementation is relatively simple, and its code is available for free. Users should protect themselves by monitoring their network traffic and drivers for any unusual changes and have anti-malware products equipped for removing ExtraPulsar infections.
The Pulse is Staying Strong
The Shadow Brokers-leaked DoublePulsar backdoor Trojan is getting a callback, but it's not so much a direct replacement, as it is an 'inspired by' project. The proof-of-concept or POC Trojan, ExtraPulsar, is under twenty lines of code that any Web surfer could download from GitHub. Despite that tiny size, it's also a backdoor Trojan that could let attackers control your computer.
ExtraPulsar is a Python-based Trojan that runs as an extra module for the Server Network Driver, which is a default Windows component that handles network traffic. It loads alongside any of the other drivers that the user's settings have on, such as srv2.sys or srv.sys (which, in modern environments, defaults to being off) without interfering with them. However, ExtraPulsar can 'listen' for SMB packets that contain identifying byte markers and isolate them for acting on commands from a C&C server.
Further possibilities from ExtraPulsar aren't yet weapons in the hands of the Black Hat community at large, but malware experts find most backdoor Trojans focused towards the collecting of passwords (or other, sensitive information) or dropping other threats, including spyware, file-locker Trojans, and rootkits. ExtraPulsar's interesting implementation, also, provides it with some default defenses, including kernel privileges and networking abilities without the corresponding network traffic or port-opening changes.
Preventing Your PC from Playing an Extra in ExtraPulsar Infections
The peculiarities of how ExtraPulsar persists and handles its network infrastructure makes infections resistant to any casual observation or detection. However, any live versions of ExtraPulsar will require an installation exploit. Malware researchers recommend users sticking to complex passwords, avoiding unsafe downloads, and being careful whenever you're using potentially risky content, such as document macros or a website's JavaScript.
Besides its advantages, ExtraPulsar's method of running includes at least one drawback: the fact that modern versions of Windows won't load an unrecognized kernel driver, by default. The most likely means of threat actors working around this limitation is by collecting a digital certificate belonging to a legitimate organization and authorizing a version of ExtraPulsar with it.
While malware experts recommend treating this Trojan as being as threatening as any other, high-level threat, most security solutions should identify it. Having anti-malware products delete ExtraPulsar on sight should be taken for granted as the best response to any infections.
The infamy of the Shadow Brokers is getting a lot of mileage, even on sites that don't deserve it, like random GitHub projects. ExtraPulsar is, for all its creativity, attempting to grab fame from more sophisticated threats with more programming talent behind them.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.