A new malware called EternalRocks was discovered in late May that uses not only EternalBlue and DoublePulsar—the two National Security Agency (NSA) exploits leaked by the ShadowBrokers hacking group and used by the notorious WannaCry ransomware—but five other exploits and tools similarly leaked by the same group: EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch. Most of these exploits target the MicrosoftServer Message Block (SMB), which handles access sharing between nodes on a network.
First discovered by Miroslav Stampar, a cybersecurity professional who works for Croatia’s Computer Emergency Response Team (CERT), EternalRocks employs a two-stage installation process after infecting its target. During the first stage, the malware downloads the TOR client to use as a communication channel, after which it will reach out to its Command & Control (C&C) server. The C&C server, surprisingly, will not send out an immediate response, and will only do so after 24 hours. It is being speculated that this delayed response was designed to avoid and bypass sandbox testing and security analysis. Once the C&C server responds, it will send out the main component taskhost.exe, which will then drop a zip file called shadowbrokers.zip that contains the NSA-based exploits. Once unpacked, EternalRocks will proceed to scan the internet for systems with open 445 ports, which serve as the gateway for the worm’s infection. Some of the vulnerabilities exploited by EternalRocks were addressed by the MS17-010 update released by Microsoft in March.
One distinction between WannaCry and EternalRocks is that the latter doesn’t seem to have any malicious payload so far. However, its ability to propagate quickly due to its worm component means that the systems infected with EternalRocks can suffer unwanted consequences if the malware is weaponized.
EternalRocks also has an added advantage over WannaCry, whose impact was mitigated by the existence of a kill switch that activated once it detects a specific domain to be “live”. EternalRocks has no such kill switch built into it, which makes any real world attack more difficult to slow down.
If last week’s WannaCry fiasco was not enough reason for people to update and patch their systems, then the emergence of a potentially more dangerous malware should heighten the urgency. Given that EternalRocks uses the same exploits employed by WannaCry, both system administrators and individual users should patch their systems immediately, while EternalRocks still lacks any sort of malicious payload. In the case of malware such as WannaCry and EternalRocks, prevention should be far easier than finding a cure.
Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect similar threats even without any engine or pattern update.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).