The EternalBlue exploit that was used to deliver the WannaCry ransomware is now being used to deliver a remote access trojan (RAT) that is able to spy on the activities of a user or take over the computer.

CyphortLabs discovered the attack in one of its honeypots.

“We initially thought this is WannaCry, but upon further investigation, we discovered a stealthier RAT,” researchers said, in an analysis. “Unlike WannaCry, this threat infects only once and does not spread. It is not a worm.”

Investigations into the RAT uncovered some of its features which include screen and keyboard monitoring, audio and video surveillance, the ability to transfer, download or delete files and data, and general control of the infected machine.

“The threat actors probably did not want other threats mingling with their activity,” CyphortLabs said. Researchers added, “At first glance, the threat we discovered may not appear to be as destructive as the WannaCry ransomware, but it may be equally dangerous if not more, depending on the attacker’s intent.”

“WannaCry ransomware delivered a strong message to the world by being noisy and destructive,” the researchers said. “It seems that the message is clear now; that there are many systems out there that are vulnerable to cyberattacks….In addition, if WannaCry did not happen, we may not be aware of a number of systems that are vulnerable to exploits whether they are zero-day, disclosed or undisclosed, and that makes this type of stealthy threat more dangerous. What will hurt you the most are those things that you did not see coming.”

Mounir Hadad, senior director of Cyphort Labs, said: "We believe at this point there are parallels with a group who has been building up the Mirai botnet and is now using EternalBlue to spread. We see the same C2 servers being used as the actors portrayed [by Kaspersky]. Given the previous uses of the Mirai botnet in mounting spectacular DDoS attacks, we can only speculate that the botnet is likely very large."

Source: Info Security