Scanning can take some time, please be patient...
DOUBLEPULSAR RDP
DETECTED!
DOUBLEPULSAR SMB
DETECTED!
NO DOUBLEPULSAR
Implant Detected

DoublePulsar Scanning Service By Below0Day

Detection by Countercept

What is DoublePulsar?

DoublePulsar is the backdoor implant that was developed by the NSA and released by ShadowBrokers on Friday, April 14th 2017. Since its release the tool has been used by hackers around the globe to gain a backdoor into machines with open SMB v1 or RDP. Metasploit has now been updated to include the detection of this RCE (auxiliary/scanner/smb/smb_ms17_010). Research from multiple independents have discovered a steady rise in infections around the globe with numbers around 344,000+ as of 4/26/2017 - BinaryEdge

What to do?

How it works?

Once you have entered the IP, port scanning 139 (SMB) and 3389 (RDP) kicks off. If the port(s) are then open we utilize a script for detection of the DoublePulsar implant created by CounterCept. This script uses Python2, querying the machine in question an SMB response that includes a 4-byte XOR cipher 0x7c3bf3c1. For a complete write up visit Countercepts blog post.

Check out Below0Day's blog post detailing the raising trend of DoublePulsar infections.

Follow us @BelowZeroDay