Short Bytes: A security researcher’s honeypot has caught a new malware that uses 7 NSA hacking tools to perform the attack. Named EternalRocks, this malware exploits Windows SMB flaws. While it doesn’t appear to be dropping ransomware at the moment, it leaves PC vulnerable to remote commands for future attacks. To make sure that you remain protected, you’re advised to apply all the security patches or upgrade to a newer version of Windows.Looking at the current situation, it’s clear that you won’t be forgetting WannaCry anytime soon. In case you’re missing some recent updates on the same, you can visit this page to read our coverage of WannaCry, which is also called WanaDecrypt0r. This ransomware used EternalBlue and DoublePulsar tools to wreck havoc.
Now, a security researcher has found a new worm named EternalRocks, which is spreading via SMB. While WannaCry exploited 2 NSA flaws, EternalRocks uses 7 NSA tools. EternalBlue and DoublePulsar tools are also a part of the arsenal of EternalRocks. The other 5 tools are Eternalchampion, Eternalromance, Eternalsynergy, Architouch and SMBtouch.
The existence of EternalRock was discovered when it infected Miroslav Stampar’s honeypot. Stampar is the creator of sqlmap tool, which is used to detect and exploit SQL injection flaws.
Stampar found out that the original name of EternalRocks was MicroBotMassiveNet. While EternalRocks disguises itself as WannaCry to fool researchers. While it doesn’t spread ransomware, it opens the door for future attacks.
p.s. there is no ransomware here. After delayed (it seems 24h) download and self replicating worm pic.twitter.com/p9OfEpmv4N
— Miroslav Stampar (@stamparm) May 18, 2017
After infecting via SMB, EternalRocks installs TOR and signals its C&C server which is a .onion domain. After waiting for 24 hours, malware’s C&C server responds. This delay is with an intention to bypass security testing environments.
Stampar has called EternalRocks a “full-scale cyber weapon.” After unpacking, it begins scanning for open 445 ports and unloads the 1st stage of malware. The researcher also notes that there’s no kill-switch in EternalRocks.
How to save yourself from EternalRocks?
Due to the rise of threats like WannaCry and EternalRocks, it’s high time that users start taking security steps to defend themselves. Here are some advises that you need to follow:
- If it’s possible, replace older Windows systems with latest versions.
- Grab all the patch releases and apply them.
You can read more about EternalRock on Stampar’s GitHub page.
Did you find this story on EternalRocks malware helpful? Don’t forget to share your views.