Newly Found Malware Uses 7 NSA Tools, #Wannacry Only uses 2 – #EternalRocks Worm

A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked NSA hacking tools, it exploits all the seven.

Last week, we warned you about multiple hacking groups exploiting leaked NSA hacking tools, but almost all of them were making use of only two tools: EternalBlue and DoublePulsar.

Now, Miroslav Stampar, a security researcher who created famous ‘sqlmap’ tool and now a member of the Croatian Government CERT, has discovered a new network worm, dubbed EternalRocks, which is more dangerous than WannaCry and has no kill-switch in it.

Unlike WannaCry, EternalRocks seems to be designed to function secretly in order to ensure that it remains undetectable on the affected system.

However, Stampar learned of EternalRocks after it infected his SMB honeypot.

The NSA exploits used by EternalRocks, which Stampar called “DoomsDayWorm” on Twitter, includes:

  1. EternalBlue — SMBv1 exploit tool
  2. EternalRomance — SMBv1 exploit tool
  3. EternalChampion — SMBv2 exploit tool
  4. EternalSynergy — SMBv3 exploit tool
  5. SMBTouch — SMB reconnaissance tool
  6. ArchTouch — SMB reconnaissance tool
  7. DoublePulsar — Backdoor Trojan

As we have mentioned in our previous articles, SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for open SMB ports on the public internet.

Also Read: WannaCry Ransomware Decryption Tool Released

EternalRocks (a.k.a. MicroBotMassiveNet)

EternalRocks is a network worm (i.e. self-replicating), emerged in first half of May 2017, with oldest known sample

dating to 2017-05-03. It spreads through public (The Shadow Brokers NSA dump) SMB exploits:

,

,

and

, along with related programs:

,

and

.

taskhost.exe properties

First stage malware

(got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from Internet, while dropping

(e.g. sample) and

(e.g. sample). Component

is used for downloading, unpacking and running Tor from

along with C&C (

) communication requesting further instructions (e.g. installation of new components).

Second stage malware

(Note: different than one from first stage) (e.g. sample) is being downloaded after a predefined period (24h) from

and run. After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories

,

and

. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory

) and pushing the first stage malware through payloads (inside directory

). Also, it expects running Tor process from first stage to get further instructions from C&C.

Host Based indicators

Dropped files

Paths

Persistence

  • Two scheduled tasks and having multiple triggers

Scheduled tasks

Mutexes

Samples

First stage

Second stage

Network indicators

C&C server(s)

Example C&C communication

Downloading required .NET components (first stage)

Appendix

Decompilation of an older sample

  • C# source

Globals

Network traffic capture (PCAP)

Yara rules

Debug strings

Indicators of Compromise (IOC)

SHA256

[/crayon]

Imphash

Mutexes

[/crayon]

File paths

[/crayon]

Scheduled tasks

->

->



Leave a Reply