DoublePulsar is the backdoor implant that was developed by the NSA and released by ShadowBrokers on Friday, April 14th 2017. Since its release the tool has been used by hackers around the globe to gain a backdoor into machines with open SMB v1 or RDP. Metasploit has now been updated to include the detection of this RCE (auxiliary/scanner/smb/smb_ms17_010). Research from multiple independents have discovered a steady rise in infections around the globe with numbers around 344,000+ as of 4/26/2017 - BinaryEdge
Once you have entered the IP, port scanning 139 (SMB) and 3389 (RDP) kicks off. If the port(s) are then open we utilize a script for detection of the DoublePulsar implant created by CounterCept. This script uses Python2, querying the machine in question an SMB response that includes a 4-byte XOR cipher 0x7c3bf3c1. For a complete write up visit Countercepts blog post.
Check out Below0Day's blog post detailing the raising trend of DoublePulsar infections.
Follow us @BelowZeroDay