The blackhats have created a new strain of malware that targets the same vulnerability as the WannaCry ransomware from the first week of May.
The Malware is called as EternalRocks, which uses the same flaw in Microsoft’s SMB networking protocol to infect other Windows systems that haven’t yet been patched with MS17-010. However, this new malware is far deadlier than WannaCry.
WannaCry Ransomware created havoc and tensions around the globe in the first half of May 2017. This ransomware just used 2 NSA hacking Tools ETERNALBLUE to compromise a machine and DOUBLEPULSAR to move around the network to find its victim and infect. Discovery of this new worm is spreading via SMB. It uses 7 NSA hacking tools which are leaked by a mysterious group calling themselves Shadow Brokers.
- EternalBlue — SMBv1 exploit tool
- EternalRomance — SMBv1 exploit tool
- EternalChampion — SMBv2 exploit tool
- EternalSynergy — SMBv3 exploit tool
- SMBTouch — SMB reconnaissance tool
- ArchTouch — SMB reconnaissance tool
- DoublePulsar — Backdoor Trojan
ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations which are used to scan for active SMB ports.
EternalRocks fake itself as WannaCry to fool security researchers, but instead of dropping ransomware and encrypting the user files, it gains unauthorized control on the affected computer to launch future cyber attacks. The victim is always a prey for attacks until the malware is found and taken required steps to eradicate such threat.
Now let’s see how the attack takes place
Infection of EternalRocks takes place in two stages.
In the first stage, malware entering a machine downloads necessary .NET components TaskScheduler and SharpZLib from the internet while dropping
svchost.exe and taskhost.exe. Component svchost.exe used for downloading, unpacking and running Tor from archive.torproject.org
After infection, in the second stage, the malware taskhost.exe downloads after a predefined period (usually 24hrs) from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and execute. After initial execution, it drops a bunch of exploits through shadowbrokers.zip and unpacks the directories payloads/, configs/ and bins/. After that, it starts a random scan of opened 445 (SMB) ports on the internet while running contained exploits (available inside bins/) and pushing the first stage malware through payloads (inside payloads/ – shown in the image below). Also, it expects running Tor process from the first stage to get further instructions from C&C.
Saner caught this malware with Indicators (as seen in the image below).
The threats are detected in Viser.
EternalRocks can be weaponized instantly. Because of its larger exploit arsenal, the lack of a detection and remediation, and because of its initial inactive state, EternalRocks could pose a serious threat to computers with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worm with ransomware, a banking trojan, RATs, or anything else.
Few of the exploits used by the NSA Hacking tools are already fixed in older Microsoft Patch updates
|“EternalBlue”||Addressed by MS17-010|
|“EmeraldThread”||Addressed by MS10-061|
|“EternalChampion”||Addressed by CVE-2017-0146 & CVE-2017-0147|
|“ErraticGopher”||Addressed prior to the release of Windows Vista|
|“EsikmoRoll”||Addressed by MS14-068|
|“EternalRomance”||Addressed by MS17-010|
|“EducatedScholar”||Addressed by MS09-050|
|“EternalSynergy”||Addressed by MS17-010|
|“EclipsedWing”||Addressed by MS08-067|
All these updates can be easily remediated through SecPod Saner. Install Saner to detect these type of threats and stay secure.