WannaCry’s Big Brother is Coming – Uses Seven NSA Hacking Tools
Ashley Allen / 4 years ago
Earlier this month, WannaCry, the malicious ransomware that utilised two leaked NSA hacking tools, infected millions of Windows systems across the globe. Now, infosec researcher Miroslav Stampar has found its big brother, according to Bleeping Computer. The new malware, dubbed EternalRocks, uses seven NSA hacking tools to infect vulnerable Windows PCs. Stampar Discovered EternalRocks when it infected an SMB honeypot he uses to lure malware in order to study it.
Bleeping Computer’s Catalin Cimpanu reveals that EternalRocks uses the leaked NSA hacking tools to exploit SMB ports. EternalRocks is more complex – and potentially more infectious – than WannaCry, but that the worm has not yet been weaponised.
“The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.
Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines.”
— Miroslav Stampar (@stamparm) May 18, 2017
More Complex, Less Malicious… For Now
Stampar reports that EternalRocks is a rather sly piece of malware. It installs itself in two stages, with a 24-hour delay in-between. During that delay, the malware installs a TOR client and signals a dark web domain.
“As a worm, EternalRocks is far less dangerous than WannaCry’s worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex. According to Stampar, it’s actually the opposite.
For starters, EternalRocks is far more sneaky than WannaCry’s SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage.
During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web.
Only after a predefined period of time — currently 24 hours — does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server.”
— Miroslav Stampar (@stamparm) May 19, 2017
If and when EternalRocks is weaponised, the malicious worm has the potential to wreak havoc.
More Malware En Route
Shadow Brokers, the team responsible for leaking the NSA hacking tools used in both WannaCry and EternalRocks, have promised more to worry about next month. In a fresh blog post, Shadow Brokers reveals it will leak more NSA hacking tools soon. “More details in June,” the group promises.