Earlier this month, WannaCry, the malicious ransomware that utilised two leaked NSA hacking tools, infected millions of Windows systems across the globe. Now, infosec researcher Miroslav Stampar has found its big brother, according to Bleeping Computer. The new malware, dubbed EternalRocks, uses seven NSA hacking tools to infect vulnerable Windows PCs. Stampar Discovered EternalRocks when it infected an SMB honeypot he uses to lure malware in order to study it.
Bleeping Computer’s Catalin Cimpanu reveals that EternalRocks uses the leaked NSA hacking tools to exploit SMB ports. EternalRocks is more complex – and potentially more infectious – than WannaCry, but that the worm has not yet been weaponised.
Cimpanu writes:
“The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.
Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines.”
Stampar reports that EternalRocks is a rather sly piece of malware. It installs itself in two stages, with a 24-hour delay in-between. During that delay, the malware installs a TOR client and signals a dark web domain.
Cimpanu explains:
“As a worm, EternalRocks is far less dangerous than WannaCry’s worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it’s actually the opposite.
For starters, EternalRocks is far more sneaky than WannaCry’s SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage.
During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web.
Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server.”
If and when EternalRocks is weaponised, the malicious worm has the potential to wreak havoc.
Shadow Brokers, the team responsible for leaking the NSA hacking tools used in both WannaCry and EternalRocks, have promised more to worry about next month. In a fresh blog post, Shadow Brokers reveals it will leak more NSA hacking tools soon. “More details in June,” the group promises.
As one of the most popular online games lately, it’s no surprise that Xbox fans…
We've finally reached the month of November, and that means one thing for Xbox users:…
For those who haven't had it on their radar, this week we take a new…
An overclocker from the MSI team has managed to push the Kingston Fury Renegade CUDIMM…
It seems that NVIDIA wants to launch its next products ahead of time. We are…
The trend of upgrading storage from traditional hard drives to SSDs has become increasingly popular,…