February 6, 2018

New whitepaper - DanderSpritz/PeddleCheap traffic analysis (Part 1 of 2)

John Bergbom Senior Security Researcher

In April 2017, a hacker group named The Shadow Brokers released some very advanced cyber weapons. The leaked tools allegedly originate from the hacking arsenal of a powerful intelligence agency. One of the tools in the leak is a post-exploitation framework called DanderSpritz, which is used for communicating with compromised computers. Forcepoint™ has analyzed the PeddleCheap module of this DanderSpritz framework. The research focuses on network-level communications. To our knowledge, no similar research has previously been published.

Motivation for the research

PeddleCheap and its associated exploits were used by the intelligence community for years before they were leaked to the public. Simply recognizing and blocking initial PeddleCheap infections will not block systems that are already infected from communicating.

The goal with our research was to devise a way to fingerprint PeddleCheap traffic to allow us to detect dormant implants on systems where the initial infection took place before the April 2017 Shadow Brokers dump.

Our research

To establish a context for this research, this is the high-level workflow from the attacker’s point of view:

  1. Victim is infected with the DoublePulsar backdoor using the EternalBlue exploit
  2. Malicious implant is created and configured
  3. A PeddleCheap listener is started in the DanderSpritz GUI
  4. Implant is uploaded to the victim via the DoublePulsar backdoor
  5. Implant is executed and starts communicating with PeddleCheap

The focus of this research is on the last point: how PeddleCheap and the implant communicate. Our purpose with this research is to help the security community combat the threat of dormant implants by providing fingerprints for use in intrusion detection/prevention systems. This research also provides insight into how a well-resourced intelligence agency may implement encrypted communication.

Download links to our whitepaper and other resources are provided further below.


Communication starts with a three-way handshake where a symmetric session key is securely exchanged. Here is a high-level sequence diagram of the traffic where PeddleCheap is used by the human attacker and the implant resides on a compromised computer:

Protection statement

Forcepoint Next Generation Firewall (NGFW), Forcepoint Web Security Cloud, and Forcepoint Web Security recognize and protect against traffic between PeddleCheap and malicious implants.

Detecting malicious traffic

The whitepaper contains recommendations for how to fingerprint malicious traffic in order to detect and block it.

Download links and other resources

Whitepaper: our technical analysis is available for download here.

A script for parsing and decrypting a network-capture and PCAPs with example traffic are available for download at: https://github.com/johnbergbom/PeddleCheap/

Look out for the second blog in the series 

We have now published Part 2 of 2 in this blog series related to evasions used in DoublePulsar and DanderSpritz.

John Bergbom

Senior Security Researcher

John Bergbom is a Senior Security Researcher on Forcepoint’s Special Investigations team within Forcepoint Security Labs. He investigates a range of topics ranging from malware analysis and reverse engineering to the security implications of new technologies. From previous roles, he has...

Read more articles by John Bergbom

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.