Earlier this month, WannaCry, the malicious ransomware that utilised two leaked NSA hacking tools, infected millions of Windows systems across the globe. Now, infosec researcher Miroslav Stampar has found its big brother, according to Bleeping Computer. The new malware, dubbed EternalRocks, uses seven NSA hacking tools to infect vulnerable Windows PCs. Stampar Discovered EternalRocks when it infected an SMB honeypot he uses to lure malware in order to study it.
Bleeping Computer’s Catalin Cimpanu reveals that EternalRocks uses the leaked NSA hacking tools to exploit SMB ports. EternalRocks is more complex – and potentially more infectious – than WannaCry, but that the worm has not yet been weaponised.
Cimpanu writes:
“The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.
Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines.”
Stampar reports that EternalRocks is a rather sly piece of malware. It installs itself in two stages, with a 24-hour delay in-between. During that delay, the malware installs a TOR client and signals a dark web domain.
Cimpanu explains:
“As a worm, EternalRocks is far less dangerous than WannaCry’s worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it’s actually the opposite.
For starters, EternalRocks is far more sneaky than WannaCry’s SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage.
During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web.
Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server.”
If and when EternalRocks is weaponised, the malicious worm has the potential to wreak havoc.
Shadow Brokers, the team responsible for leaking the NSA hacking tools used in both WannaCry and EternalRocks, have promised more to worry about next month. In a fresh blog post, Shadow Brokers reveals it will leak more NSA hacking tools soon. “More details in June,” the group promises.
According to a new report, the GeForce RTX 5090 GPU will be very expensive. It…
A new AMD processor in the form of an engineering model has been leaked in…
SK Hynix has claimed to be the first company to mass-produce 321-layer NAND memory chips.…
SOUNDS GREAT – Full stereo sound (12W peak power) gives your setup a booming audio…
Special Edition Yoshi design Ergonomic controller shape with Nintendo Switch button layout Detachable 10ft (3m)…
Fluid Motion: These flight rudder pedals are smooth and accurate that enable precise control over…