Heads Up! New EternalRocks Worm

More Dangerous Than WannaCry,

Has No Kill-Switch

Published time: 22 May, 2017 18:58

Seven cyber exploits purportedly stolen from the US National Security Agency (NSA) have been identified in ‘EternalRocks’, a new type of malware detected by a Croatian tech security advisor.

Similar to the WannaCry malware which struck hundreds of thousands of computers worldwide this month, EternalRocks apparently draws on NSA-identified network exploits EternalBlue, EternalChampion, EternalRoman, and EternalSynergy.

The worm utilizes DoublePulsar, Architouch and SMBtouch, a series of tools released in an apparent NSA leak by hacking group ShadowBrokers.

READ MORE: WannaCry XXL? 2nd even bigger global cyber attack already underway

The virus’s characteristics were identified by Miroslav Stampar, a Croatian security expert for the country’s Computer Emergency Response Team (CERT). He is also listed as a Croatian chapter member of the Honeynet Project, a volunteer network for “security research.”

In a breakdown published online, Stampar outlines how the “cyberweapon” downloads in two separate stages, with the second running 24 hours later to avoid detection.

“After about six to eight hours of analysis, I found how to provoke the second stage,” said Stampar when contacted by RT.com. “I got kind of excited and scared as somebody had successfully, and professionally, packed all SMB exploits from ShadowBroker’s dump.

“I predicted that something bigger than WannaCry is coming,” he added.

Stampar explains that EternalRocks sits anonymously on the target device, but can be activated later for more malicious purposes: “It’s sole purpose at this moment is propagation and waiting for further command and control updates. As I see it, it is a prelude,” he said.

Microsoft was forced to patch discontinued operating systems earlier this month after WannaCry exploited vulnerabilities in its software.

READ MORE: Microsoft releases urgent OS patch in wake of #WannaCry ransomware blitz

The patch came after more than 200,000 devices became infected with WannaCry, which encrypts computer files and demands victims to pay a ransom for their release. The wide-reaching ransomware blitz crippled parts of the UK National Health Service.

Last week, Quarkslab security advisor Adrien Guinet released information about a method for decrypting WannaCry. The ‘WannaKey’ tool was published to Github but only helps users with the Windows XP operating system.

—————————————————————————————————————————————————–

 

 

A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked NSA hacking tools, it exploits all the seven.

Last week, we warned you about multiple hacking groups exploiting leaked NSA hacking tools, but almost all of them were making use of only two tools: EternalBlue and DoublePulsar.

Now, Miroslav Stampar, a security researcher who created famous ‘sqlmap’ tool and now a member of the Croatian Government CERT, has discovered a new network worm, dubbed EternalRocks, which is more dangerous than WannaCry and has no kill-switch in it.

Unlike WannaCry, EternalRocks seems to be designed to function secretly in order to ensure that it remains undetectable on the affected system.

However, Stampar learned of EternalRocks after it infected his SMB honeypot.

The NSA exploits used by EternalRocks, which Stampar called “DoomsDayWorm” on Twitter, includes:
 

1. EternalBlue — SMBv1 exploit tool
2. EternalRomance — SMBv1 exploit tool
3. EternalChampion — SMBv2 exploit tool
4. EternalSynergy — SMBv3 exploit tool
5. SMBTouch — SMB reconnaissance tool
6. ArchTouch — SMB reconnaissance tool
7. DoublePulsar — Backdoor Trojan

As we have mentioned in our previous articles, SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for open SMB ports on the public internet.

Also Read: WannaCry Ransomware Decryption Tool Released

Whereas EternalBlue, EternalChampion, EternalSynergy and EternalRomance are SMB exploits, designed to compromise vulnerable Windows computers.

And, DoublePulsar is then used to spread the worm from one affected computers to the other vulnerable machines across the same network.

 

Stampar found that EternalRocks disguises itself as WannaCry to fool security researchers, but instead of dropping ransomware, it gains unauthorized control on the affected computer to launch future cyber attacks.
 

Here’s How EternalRocks Attack Works:

EternalRocks installation takes place in a two-stage process.

During the first stage, EternalRocks downloads the Tor web browser on the affected computers, which is then used to connect to its command-and-control (C&C) server located on the Tor network on the Dark Web.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from the Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample),” Stampar says.

According to Stampar, the second stage comes with a delay of 24 hours in an attempt to avoid sandboxing techniques, making the worm infection undetectable.

After 24 hours, EternalRocks responds to the C&C server with an archive containing the seven Windows SMB exploits mentioned above.

“Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components),” Stampar adds.

All the seven SMB exploits are then downloaded to the infected computer. EternalRocks then scans the internet for open SMB ports to spread itself to other vulnerable systems as well.
 

अभी तो बहुत ‘भसड़’ होने वाली है!

If you are following The Hacker News coverage on WannaCry Ransomware and the Shadow Brokers leaks, you must be aware of the hacking collective’s new announcement of releasing new zero-days and exploits for web browsers, smartphones, routers, and Windows operating system, including Windows 10, from next month.

The exclusive access to the upcoming leaks of zero-days and exploits would be given to those buying subscription for its ‘Wine of Month Club.’ However, the Shadow Brokers has not yet announced the price for the subscription.

Since the hackers and state-sponsored attackers are currently waiting for new zero-days to exploit, there is very little you can do to protect yourself from the upcoming cyber attacks.

If you want to know every minute update about the latest cyber threats before they hit your system, make sure you are following The Hacker News on Twitter and Facebook, or subscribe to our newsletter.

By Liam Tung | May 22, 2017 — 10:10 GMT (03:10 PDT) | Topic: Security

http://zdnet3.cbsistatic.com/hub/i/r/2017/05/22/943c470a-4d6d-491c-8555-a4d8f6902352/resize/770xauto/49c32ffa593b6ff744165d5bdf6c909a/wikileaksathenamay17.png

Documents on WikiLeaks purport to show how Athena and Hera malware work.

Image: WikiLeaks

The latest file revealed in WikiLeaks’ Vault 7 catalog of CIA hacking toolkit is Athena, a surveillance tool apparently designed to capture communications from Windows XP to Windows 10 machines.

Details of the Athena malware are available in a document allegedly created by the CIA in November 2015. The malware is said to have been made in conjunction with US cybersecurity firm Siege Technologies, which was acquired by Nehemiah Security late last year.

Athena is the ninth Vault 7 release of CIA hacking tools for mobile and desktop systems. WikiLeaks has been revealing one tool at the end of each week over the past two months.

As noted in the documents, Athena is “a very simple implant application” that offers remote access to the target machine. The malware can be used to deliver a payload so that files can be delivered to and retrieved from a directory of the host.

“The target computer operating systems are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32- bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10,” the documents note.

There’s a separate implementation of the malware called Hera, or Athena-Bravo, that supports Windows 8 to Windows 10.

Athena, which is also called Athena-Alpha, gains persistence via the Windows RemoteAccess service, while Hera/Athena-Bravo uses the Dnscache service.

The documents outline several ways to deliver the malware including remote installation, the supply chain, via an “asset”, or with a tool called Windex detailed in earlier WikiLeaks releases.

WikiLeaks highlights an interview that Siege Technologies founder Jason Syversen gave Bloomberg in 2014, in which he justifies the creation of cyber weapons.

“I feel more comfortable working on electronic warfare,” he said. “It’s a little different than bombs and nuclear weapons — that’s a morally complex field to be in. Now instead of bombing things and having collateral damage, you can really reduce civilian casualties, which is a win for everybody.”

Read more about the CIA and hacking

• Leaked secret CIA files detail tools for hacking iPhones, Android, smart TVs
• CIA tools exposed by Wikileaks linked to hacking across 16 countries
• FBI, CIA launch investigation into WikiLeaks file dump