EternalBlue exploit received a lot of attention when shadow brokers released several hacking tools and other exploits used by the NSA-linked Equation group. The same case took place in May when EternalBlue exploit were under invasion by the WannaCry Ransomware.

The event not only made news on global media platforms, but it also mandated a shut down on a significant portion of the British National Health Service. This release of the NSA tools revealed DangerSpritz, a nasty malware piece.

The Equation Group built the malware for an ideal purpose after a network system was already compromised successfully. It included a couple of tools used in data collection, gaining pretense, employing a lateral move in an environment. This malware appeared to be the sophisticated version of the popular Metasploit’s Meterpreter. The nastiest of these tools was the Eventlogedit, which could delete log entries from a compromised system.

Researchers Utilize Python Script in Deleted Logs Recovery

Recently, Fox-IT published a script in Python with the capabilities of recovering data that had been deleted by Eventlogedit. According to the publication, a bug was presented in the DanderSpritz log cleaner after realizing that the utility did not actually remove all log entries. These entries were only unreferenced after they merged with other listings but not entirely deleted.

To put it in simpler terms, the utility merges two or more compromised logs using the clean log entry before it. The Window Event Log Viewer views such a doctored log as paraphrased information with the first start and end tags. It ignored any preliminary data, which makes the log appear compromised.

Although these logs are not entirely deleted, hackers can use the Windows Event Log Viewer to hide malicious actions on any compromised device.

Negative Implications of DanderSpitz

The Fox-IT published Python script helps investigators recover the original log file and trace back the cybercriminal’s footprints. You can find the Python script on GitHub and use it as a helpful tool in investigating such crimes.

It will be of your benefit to realize that the DanderSpiritz has been in public circulation for over a year, which means that the NSA does not consider it a valuable tool anymore. However, there is a high possibility that cybercriminals are using the utility to integrate a technique for themselves. This then means that their activities might be traceable.

The Equation Group’s post-exploitation tools (DanderSpritz and more) Part 1