New Worldwide Threat
By Mark Phillips ¦ Blog.TotalAV.com ¦ Updated 30th May 2017, 08.16 EDT
In yet more harrowing news, a Croatian researcher has discovered a new worm, known as EternalRocks, that utilizes seven stolen hacking tools from the NSA. The malware shares characteristics with WannaCry, and could potentially pose an even greater threat than the already notorious ransomware.
But, for now, there is no need to lose our heads in blind panic. Well, sort of. According to Miroslav Stampar, a member of the Croation Government CERT, the EternalRocks bug is not currently activated to carry out attacks on infected computers.
In other words, for the moment it’s just code that is spreading itself from machine to machine. However, the C&C servers can send infected computers any chosen command at any time, including orders to download additional malware.
“The worm is racing with administrators to infect machines before they patch,” Stampar informed Bleeping Computer. “Once infected, he can weaponize any time he wants, no matter the late patch.”
The EternalRocks malware has its crosshairs fixed on computers with unpatched, exposed SMB ports – there are numerous in existence – and breaches them by employing six of the leaked NSA tools. For initial compromise, the worm sends in EternalChampion, EternalBlue, EternalSynergy and EternalRomance, and for SMB reconnaissance, ArchiTouch and SMBTouch.
The final tool, DoublePulsar, is utilized to spread to new computers and remains on those infected as an implant. DoublePulsar is left open by default, which means that other malicious programs can use it as a backdoor for any of the infected machines.
EternalRocks is stealthy in its approach, according to Stampar. After the worm infects a machine it sits quietly for twenty-four hours before talking to the C&C infrastructure in a bid to sneak by researcher analysis and sandboxing. Unlike WannaCry, which included a kill switch domain that could temporarily disable the threat, EternalRocks doesn’t have one.
All of these hacking tools have been made publicly available courtesy of the mysterious Shadow Brokers group. The recent WannaCry outbreak, an unprecedented cyber attack which infected computers with ransomeware on a global scale, also used two of these hacking tools, DoublePulsar and EternalBlue.
Microsoft has announced that the leaked weapons can’t wreck havoc on its supported products, but did state that unsupported operating systems such as XP, and systems that aren’t up to date with critical patches, could be at risk.
According to Recorded Future, there has been a great deal of interest in Russian and Chinese darknet forums, with hacking tools being reverse engineered, such as EternalBlue.