The WannaCry ransomware making its rounds around the globe isn’t the only thing that is causing businesses to be up in arms and cybersecurity industry to be twisting their knickers.
In fact, WannaCry only used 2 NSA tools, with other shoddily written code, cobbled together assuming to make some quick buck.
This other one though uses 7 – yes, seven – NSA tools and is far more sophisticated. Named EternalRocks, the worm uses six SMB-centric (Server Message Block) NSA tools to infect a computer with SMB ports exposed online.
The WannaCry ransomware outbreak also used an SMB worm to infect computers and spread to new victims.
According to a report by Bleeping Computer, EternalRocks is far less dangerous than WannaCry’s worm component, as it currently does not deliver any malicious content. However, EternalRocks is much more sneaky and complex. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage.
First stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web. After about 24 hours, does the C&C server respond. The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server.
EternalRocks also uses files with identical names to the ones used by WannaCry’s SMB worm, in another attempt to fool security researchers into misclassifying it. But unlike WannaCry, EternalRocks does not include a kill switch domain, which is attributed to the slowing of the WannaCry spread.
After the initial dormancy period expires and the C&C server responds, EternalRocks goes into the second stage of its installation process and downloads a second stage malware component in the form of an archive named shadowbrokers.zip. As you can guess from the name – it’s a bunch of NSA SMB-centric exploits leaked by the Shadow Brokers group in April 2017.
The worm then starts a rapid IP scanning process and attempts to connect to random IP addresses.
Thing is, while it doesn’t immediately lock you files, and could lay dormant for a while – hackers can choose to weaponise with any tools in their downloaded arsenal on your system, when they feel like it. What’s worse, it doesn’t matter if you patch it up later – the hacker can used the pre-established communication link to send malware to previously infected devices.
Nonetheless, the faster system administrators patch their systems the better. “The worm is racing with administrators to infect machines before they patch,” Stampar told Bleeping Computer in a private conversation. “Once infected, he can weaponize any time he wants, no matter the late patch.”