EternalRocks Worm Spreads Seven NSA SMB Exploits

A worm called EternalRocks has been spreading seven Windows SMB exploits leaked by the ShadowBrokers, including EternalBlue, which was used to spread WannaCry.

Someone has stitched together seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a worm that has been spreading through networks since at least the first week of May.

Researcher Miroslav Stampar, a member of the Croatian government’s CERT, captured a sample of the worm last Wednesday in a Windows 7 honeypot he runs, and posted a report over the weekend on his Github page.

The worm, which Stampar calls EternalRocks, currently has no payload and spreads in two stages over a 24-hour period. Heimdal Security has also seen a similar sample, which it calls BlueDoom.

Since the WannaCry ransomware outbreak two Fridays ago, researchers have stressed the urgency to patch the SMB vulnerability under attack given the NSA exploits are weaponized and documentation was also leaked making them reasonably simple to use. MS17-010 has been available since March, one month before the ShadowBrokers’ leak of Equation Group Windows offensive hacking tools.

“Despite not having a malicious payload, the EternalRock worm is as complex as WannaCry – although, for now, less dangerous. Unlike WannaCry, however, EternalRock has two stages, and there’s a long delay between the moment the malware sends a signal to the control server to confirm infection and the reply being received from the server,” Kaspersky Lab said. “Such behavior is not unusual and seems to be a sandbox mitigation technique.”

Stampar said that EternalRocks, which he also calls MicroBotMassiveNet, spreads using all of the SMB exploits in the leak, including EternalBlue, which was used in the WannaCry attacks. EternalRocks also uses EternalBlue, along with EternalChampion, EternalRomance and EternalSynergy, as well as ArchiTouch, SMBTouch and the DoublePulsar kernel exploit.

“The analysis done on BlueDoom hints that cyber criminals may be preparing to integrate an array of different exploits for an attack that combines a full set of digital weapons,” Heimdal Andra Zaharia said. “BlueDoom is different from WannaCry because it shows a long-term intent to make use of vulnerabilities stemming from virtually all Shadow Brokers leaks containing Windows exploits.”

Stampar explained how the exploits attack in two stages. The first infects a vulnerable Windows machine unpatched against MS17-010, and the downloads components expected to be used during the second stage, along with the Tor browser, which is used to communication to a .onion command and control domain (ubgdgno5eswkhmpy[.]onion).

The second stage, Stampar said, is downloaded after a pre-defined 24-hour period from the .onion domain. During this stage, the SMB exploits are downloaded and the worm begins additional scanning of the internet looking for open instances of port 445.

Stampar’s report includes indicators of compromises, including hashes of components used in both stages of the attack.

In the meantime, more information continues to surface about the WannaCry infections. To date, more than 200,000 infections have been recorded in more than 100 countries. According to researchers at Kaspersky Lab, 98 percent of WannaCry infections affected Windows 7 machines, primarily Windows 7 x64 machines.

Last week, researchers developed and published tools that can help admins recover the private encryption key used by WannaCry to encrypt files on the local drives of machines it infects.

Adrien Guinet of QuarksLab made available his WannaKey tool that is able to recover a prime number from memory used to factor the RSA public key stored by the malware on the local drive. That public key can be used to rebuild the private key and recover encrypted files in conjunction with another tool called WanaDecrypt, built by researcher Benjamin Delpy.

At first, the available tools were limited just to Windows XP machines. The attackers built WannaCry using the Windows Crypto API, which fails to overwrite the prime numbers in memory; later versions do so using the CryptReleaseContext function. Delpy was reportedly able to overcome that limitation and get his tool to work on Windows 7 machines as well.

Admins must now hold their breath waiting perhaps for a version of EternalRocks to spread a malicious payload. Already, the NSA’s SMB exploits have been used, not only to spread ransomware, but also a cryptocurrency miner and a remote access Trojan. And unlike WannaCry, Stampar said EternalRocks does not include a so-called killswitch that researcher Marcus Hutchins used to shut down the initial ransomware outbreak.

“A big advantage over the initial WannaCry variants is that fact that EternalRock does not carry a kill-switch feature. Kaspersky Lab believes that it could easily be weaponized and used in the wild,” Kaspersky Lab said.

This article was updated May 22 with comments from Kaspersky Lab.

Suggested articles