Earlier this month, WannaCry, the malicious ransomware that utilised two leaked NSA hacking tools, infected millions of Windows systems across the globe. Now, infosec researcher Miroslav Stampar has found its big brother, according to Bleeping Computer. The new malware, dubbed EternalRocks, uses seven NSA hacking tools to infect vulnerable Windows PCs. Stampar Discovered EternalRocks when it infected an SMB honeypot he uses to lure malware in order to study it.
Bleeping Computer’s Catalin Cimpanu reveals that EternalRocks uses the leaked NSA hacking tools to exploit SMB ports. EternalRocks is more complex – and potentially more infectious – than WannaCry, but that the worm has not yet been weaponised.
Cimpanu writes:
“The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.
Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines.”
Stampar reports that EternalRocks is a rather sly piece of malware. It installs itself in two stages, with a 24-hour delay in-between. During that delay, the malware installs a TOR client and signals a dark web domain.
Cimpanu explains:
“As a worm, EternalRocks is far less dangerous than WannaCry’s worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it’s actually the opposite.
For starters, EternalRocks is far more sneaky than WannaCry’s SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage.
During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web.
Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server.”
If and when EternalRocks is weaponised, the malicious worm has the potential to wreak havoc.
Shadow Brokers, the team responsible for leaking the NSA hacking tools used in both WannaCry and EternalRocks, have promised more to worry about next month. In a fresh blog post, Shadow Brokers reveals it will leak more NSA hacking tools soon. “More details in June,” the group promises.
Electronic Arts (EA) announced today that its games were played for over 11 billion hours…
Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…
GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…
Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…
Ubisoft is not having the best of times, but despite recent flops, the company still…
If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…