The Researchers have detected a new worm that is spreading via SMB, but unlike the worm components of the WannaCry ransomware, this one is using seven NSA tools instead of two.
The worm’s existence on the internet first came to light on Wednesday, after it infected the SMB honeypots of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaw.
EternalRocks is more complex but less dangerous
As a worm, EternalRock is far less dangerous than WannaCry’s worm components, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stamper, it’s actually the opposite.
For starters, EternalRocks is far more sneaky than WannaCry’s SMB worm component. Once it infects a victims, the worm uses a two-stage installation process, with a delayed second stage.
During the first stage, EternalRocks gain a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web.
No kill switch domains
Additionally, EternalRocks also uses files with identical name to the ones used by WannaCry’s SMB worm, in another attempt to fool security researchers into misclassifying it.
But unlike WannaCry, EternalRocks does not include a kill switch domains, the Achille’s heel that security researchers used to stop the WannaCry outbreak.
After the initial dormancy period expire and the C&C server responds, EternalRocks goes into the second stage of its installation process procedure and downloads a second stage malwares component in the form of an archive named shadowbrokers.zip.
EternalRocks could be weaponized in an instant
Because of its broader exploit arsenals, the lack of a kill switch domain, and because of its initial dormancy, EternalRocks could pose a serious threat to computer with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worms with ransomware, a banking trojan, RATs, or anything else.
At first glance, the worm seem to be an experiment, or a malware author performing tests and fine-tuning a future threats.
This, however, does not mean EternalRocks is harmless. Computer infected with this worm are controllable via C&C server command and the worm’s owner could leverage this hidden communications channel to send new malwares to the computers previously infected by EternalRocks.
Furthermore, DOUBLEPULSAR, an NSA implants with backdoor features, remains running on PCs infected with EternalRocks. Unfortunately, the worm’s authors has not taken any measure to protect the DOUBLEPULSAR implants, which runs in a default unprotected state, meaning other threat actors could use it as a backdoors to machines infected by EternalRocks, by sending their own malware to those PCs.
IOCs and more info on the worm’s infection process are available in a GitHub repos Stampar set up a few days ago.
Take your time to comment on this article.