The leaked NSA hacking tools keep showing up in criminal schemes

In practice, EternalBlue will allow a hacker to quickly compromise multiple computers on a shared network as long as they are all similarly running dated Microsoft software.
(raymondclarkeimages / Flickr)

A hacking tool linked to the NSA continues to be used by cybercriminals in efforts to remotely steal money and confidential information from online banking users, according to research conducted by U.S. cybersecurity firm Proofpoint.

In a recent blogpost by company researchers, Proofpoint said it had discovered two different banking trojans in the wild with computer code taken from a now publicly available exploit known as “EternalBlue,” or CVE-2017-0144.

EternalBlue is believed to have been used by the NSA to gather intelligence. Originally leaked in April, the exploit works by targeting a dated vulnerability in Microsoft’s Server Message Block protocol. The vulnerability affects outdated versions of several different Microsoft operating systems.

Microsoft already released a patch to fix the issue.


In practice, EternalBlue will allow a hacker to quickly compromise multiple computers on a shared network as long as they are all similarly running dated software.

“Patching Windows can take a very long for many organizations – we routinely observe one or two-year-old (and sometimes older) exploits being used successfully in a variety of attacks,” explained Kevin Epstein, vice president of Threat Operations for Proofpoint. “As long as threat actors continue to find widespread, unpatched vulnerabilities, they will continue to leverage exploits like EternalBlue.”

The two trojans, Retefe and TrickBot, are relatively common and have been in use for several months as part of various email phishing campaigns against companies and individual users. The latest versions of these trojans are the ones that carry elements of EternalBlue.

The new variant of Retefe identified by Proofpoint was sent in an unsolicited email to a company. The email contained a malicious Microsoft Office document that was laden with embedded Package Shell Objects. When opened, a PowerShell command will launch a download for a .zip archive holding a obfuscated JavaScript installer hosted on a remote server. The eventual result is the installation of a virus that leverages EternalBlue to quickly spread inside an infected network.

Retefe has been largely used in attacks against banks in Austria, Sweden, Switzerland, Japan and the United Kingdom, according to researchers.


“While it has never reached the scale or notoriety of better-known banking Trojans such as Dridex or Zeus, [Retefe] is notable for its consistent regional focus, and interesting implementation,” a Proofpoint blog post notes.

More broadly, the use of EternalBlue in attacks doesn’t appear to be narrowly focused or aimed at one specific industry or region, experts say.

“There does not appear to be a common theme in terms of targeting for attacks leveraging EternalBlue,” said Epstein. “Rather, this approach seems to be evolving, giving attackers both destructive and disruptive potential as we saw with WannaCry’s rapid propagation via EternalBlue as well as more precise lateral movement after a successful infiltration through other vectors as we observed with Retefe.”

In the past, the EternalBlue exploits has been used tandem with ransomware to extort money from businesses. It’s not entirely clear who is behind Retefe or Trickbot, although a relatively small group is thought to be behind the spread of Retefe.

“Although this Retefe variant appears to be used exclusively by the so-called Retefe Gang, we don’t know who first developed the malware,” Epstein told CyberScoop. “We do not have sufficient information to attribute the Trickbot variant featuring EternalBlue to a particular author.”


The EternalBlue exploit first became publicly known and adoptable following the publication of a package of NSA documents by a group known as The Shadow Brokers.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts