WannaCry’s Big Brother is Coming – Uses Seven NSA Hacking Tools

/ 4 years ago

WannaCry’s Big Brother is Coming – Uses Seven NSA Hacking Tools

Earlier this month, WannaCry, the malicious ransomware that utilised two leaked NSA hacking tools, infected millions of Windows systems across the globe. Now, infosec researcher Miroslav Stampar has found its big brother, according to Bleeping Computer. The new malware, dubbed EternalRocks, uses seven NSA hacking tools to infect vulnerable Windows PCs. Stampar Discovered EternalRocks when it infected an SMB honeypot he uses to lure malware in order to study it.

Let’s Rock

Bleeping Computer’s Catalin Cimpanu reveals that EternalRocks uses the leaked NSA hacking tools to exploit SMB ports. EternalRocks is more complex – and potentially more infectious – than WannaCry, but that the worm has not yet been weaponised.

Cimpanu writes:

“The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.

Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines.”

More Complex, Less Malicious… For Now

Stampar reports that EternalRocks is a rather sly piece of malware. It installs itself in two stages, with a 24-hour delay in-between. During that delay, the malware installs a TOR client and signals a dark web domain.

Cimpanu explains:

“As a worm, EternalRocks is far less dangerous than WannaCry’s worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it’s actually the opposite.

For starters, EternalRocks is far more sneaky than WannaCry’s SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage.

During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web.

Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server.”

If and when EternalRocks is weaponised, the malicious worm has the potential to wreak havoc.

More Malware En Route

Shadow Brokers, the team responsible for leaking the NSA hacking tools used in both WannaCry and EternalRocks, have promised more to worry about next month. In a fresh blog post, Shadow Brokers reveals it will leak more NSA hacking tools soon. “More details in June,” the group promises.

Topics: ,

Support eTeknix.com

By supporting eTeknix, you help us grow and continue to bring you the latest newsreviews, and competitions. Follow us on FacebookTwitter and Instagram to keep up with the latest technology news, reviews and more. Share your favourite articles, chat with the team and more. Also check out eTeknix YouTube, where you'll find our latest video reviews, event coverage and features in 4K!

Looking for more exciting features on the latest technology? Check out our What We Know So Far section or our Fun Reads for some interesting original features.

eTeknix Facebook eTeknix Twitter eTeknix Instagram eTeknix Instagram

Check out our Latest Video

Send this to a friend