The security expert Miroslav Stampar, a member of the Croatian Government CERT, has discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw in the SMB protocol to spread itself like the popular WannaCry ransomware.
Stampar discovered the EternalRocks after it infected his SMB honeypot, he called the malware ‘DoomsDayWorm.’
Stampar discovered that the EternalRocks disguises itself as WannaCry, but instead of delivering a ransomware, it takes over the affected computer to power other attacks.
The researcher decompiled an older sample (start of May) of EternalRocks and published it on Github.
Unlike the WannaCry Ransomware that leverages the two NSA hacking tools EternalBlue and DoublePulsar, EternalRocks exploits seven exploits leaked by Shadow Brokers and its code doesn’t include a kill-switch.
EternalRocks was developed to avoid detection and to remain undetectable on the target system, it uses the following NSA exploits:
EternalRocks downloads all the above SMB exploits to the infected computer, then it scans the internet for open SMB ports on other systems to compromise.
Giving a close look at the list we can find the SMB exploits EternalBlue, EternalChampion, EternalSynergy and EternalRomance.
The DoublePulsar is the exploit used by malware to implement network worm capabilities, while the SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for systems hacking open SMB ports exposed on the Internet.
The EternalRocks works in two stages:
During the first stage, EternalRocks downloads the Tor web browser on the affected computers, then it uses the application to connect to the command-and-control (C&C) server located on the Tor network.
After 24 hours, the second stage starts, the malware delays its action in the attempt to avoid sandboxing techniques.
“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages)TaskScheduler and SharpZLib from Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample). Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components).” wrote the researcher.
“Second stage malware taskhost.exe (Note: different than one from first stage) (e.g. sample) is being downloaded after a predefined period (24h) from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and run. After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from first stage to get further instructions from C&C.“
[adrotate banner=”9″]
(Security Affairs – EternalRocks, EternalBlue vulnerability)
[adrotate banner=”13″]
Zoom addressed six flaws, including two high-severity issues that could allow remote attackers to escalate…
Microsoft Patch Tuesday security updates for November 2024 addressed 89 vulnerabilities, including two actively exploited…
A cyber attack affected Ahold Delhaize USA brands, disrupting Giant Food, Hannaford, their pharmacies, and…
A cyberattack in Israel allegedly disrupted communication services, causing widespread malfunction of credit card readers…
Apple iOS supports a new feature that reboots locked devices after extended inactivity, aiming to…
New Ymir ransomware was deployed in attacks shortly after systems were breached by RustyStealer malware,…
This website uses cookies.