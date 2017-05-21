EternalRocks network worm uses 7 NSA hacking tools

At least one person is leveraging seven ShadowBrokers-leaked NSA hacking tools for a new EternalRocks network worm.

frustrated computer user
Credit: Thinkstock
Related

While you won’t be forgetting the WannaCry ransomware attack, it is likely you will be hearing a lot more about the alleged NSA-linked EternalBlue exploit and DoublePulsar backdoor as it seems a wide range of bad guys have them in their toyboxes. At least one person is leveraging seven leaked NSA hacking tools for a new EternalRocks network worm.

EternalBlue and DoublePulsar

Malwarebytes believes WannaCry did not spread by a malicious spam email campaign, but by an scanning operation that searched for vulnerable public facing SMB ports, then used EternalBlue to get on the network and DoublePulsar to install the ransomware.

EternalBlue was part of the Shadow Brokers’ April 14 dump of NSA hacking tools. Almost immediately, since late April, sophisticated attackers started repackaging the EternalBlue exploit. Security firm Secdo reported that three weeks before the WannaCry attack, at least three different actors were “leveraging the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the US.”

The attack leaves no trace; by spawning threads inside legitimate apps, to impersonate those apps, the attack can evade advanced next-gen antivirus solutions. The attacks, according to Secdo, “might pose a much bigger risk than WannaCry” as “many endpoints may still be compromised despite having installed the latest security patch.”

The security firm suggested one threat actor was stealing credentials using a Russian-based IP and another threat actor seemed to be using EternalBlue in  opportunistic attacks to create a Chinese botnet.

Secdo added:

Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

Security firm Proofpoint spotted an attack using EternalBlue and DoublePulsar to install a cryptocurrency mining botnet. This attack, which also began before WannaCry, may be larger in scale and may even have limited the spread of WannaCry “because this attack shuts down SMB networking to prevent further infections with other malware via that same vulnerability.” Every time Proofpoint exposed a lab box vulnerable to EternalBlue attacks, it was added to the cryptocurrency mining botnet within 20 minutes.

EternalRocks uses 7 NSA hacking tools

Perhaps the most worrying news about attacks came from researcher Miroslav Stampar. It is the most worrying because the “EternalRocks” network worm doesn’t just use EternalBlue and DoublePulsar like WannaCry did. Oh no, it uses seven different NSA hacking tools: EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Doublepulsar, Architouch and SMBtouch.

Stampar learned of EternalRocks after it infected his SMB honeypot. Its original name was MicroBotMassiveNet, but EternalRocks is listed as a product name under Taskhost Properties. It disguises itself as WannaCry as if hoping to fool security researchers, yet it doesn’t drop ransomware. Instead, it seems to be gaining a foothold to launch future attacks.

During the first stage, EternalRocks installs TOR as a C&C communications channel. The second stage doesn’t begin immediately; instead, the C&C server waits 24-hours before responding with shadowbrokers.zip. Stampar said the delayed downloader for the zipped file, which contains NSA hacking tools leaked by the Shadow Brokers, seems to be “a full scale cyber weapon.”

After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.

There is no kill switch like there was in WannaCry. Stampar told Bleeping Computer, “The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch.”

The second stage of the infection currently has a detection rate of 45/61 on VirusTotal, but Stampar warned that EternalRocks was “going to be huge.”

He later added:

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Must read: 10 new UI features coming to Windows 10
You Might Like
Don't Miss
ipad mini 3 metal
Apple to unveil new iPad Pro while axing the iPad Mini

Apple's iPad Mini may soon be eliminated from Apple's product lineup.

free tech software storage
18 free cloud storage options

A review of 18 companies that offer free cloud storage

free tech software storage
18 free cloud storage options

A review of 18 companies that offer free cloud storage

Resources
Top Stories
Arlo Go Netgear
Are VMs more secure than containers?

In theory, virtual machines (VMs) are more secure than containers. In practice, they probably are. It...

computer ports secure issue
Securing risky network ports

CSO examines risky network ports based on related applications, vulnerabilities, and attacks, providing...

kaboom linux command tools
Building Linux-powered devices, part 1: Making my Linux-only world a reality

To live in a Linux-only world, you have to build the devices yourself. In step one of his journey,...

Red wheel barrow filled with money
Is your company spending on the right security technologies?

Here are three considerations that can help companies make the right decisions when it comes to...