EternalRocks - a new threat using NSA exploits

EternalRocks is a new malware that exploits the EternalBlue and DoublePulsar exploits, which were developed by the US National Security Agency (NSA) and stolen by the Shadow Brokers hackers group and used as part of WannaCry's famous ransomware attack. The EternalRocks virus also uses five other exploits and tools shared in a similar manner by the same group: EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch. Most of these exploits attack Microsoft's Server Message Block (SMB) protocol to share resources between nodes on the network.

After infecting the target computer, the EternalRocks software launches a two-stage installation process:

In the first stage, the malicious software downloads the Tor network client and uses it as a communication channel to connect to the controlling server. The C & C server does not respond immediately, and only after 24 hours. Experts speculate that this delay aims to circumvent security testing and analysis mechanisms in isolated environments (sandboxes).

As part of the response, the C & C server sends a ZIP file called " " containing the NSA-based exploits. After unpacking the archive, EternalRocks scans the Internet for systems with an open port 445 through which the worm spreads. Some of the vulnerabilities used by EternalRocks were removed as part of the MS17-010 update released by Microsoft in March.

An important difference between the WannaCry and EternalRocks viruses is that the latter does not contain any dangerous "load" so far. The ability of the EternalRocks malware to spread quickly means, however, that infected systems can be exposed to unwanted consequences if the software is properly "set up". EternalRocks also has an additional advantage over WannaCry software - the effects of WannaCry have been limited due to the existence of a killswitch mechanism that was activated when the availability of a specific domain was detected. EternalRocks does not have such a mechanism, which makes it difficult to stop the real attack.

Even if the damage done by WannaCry software was not a sufficient reason for users to install updates and patches on systems, the emergence of a potentially more dangerous variant should prompt immediate action. Because EternalRocks uses the same exploits as WannaCry, system administrators and individual users should immediately install the necessary patches in their systems - before the EternalRocks software is equipped with really harmful components. In the case of threats such as WannaCry or EternalRocks, prevention is usually much easier than possible treatment.

For more details on the history and evolution of ransomware, as well as recommendations from Trend Micro, see this link .

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.