Another Week, another SMB Exploit

Ever since WannaCry made it onto the front page of every newspaper and received a dedicated segment on twenty-four-hour news channels, every Friday since then another worm using the same exploit appeared. This past Friday was no different. On Friday, May 19, another worm using the same exploit as WannaCry emerged. Discovered by Croatian analyst Miroslav Stamper, it has been dubbed EternalRocks. It has also gone by the name MicroBotMassiveNet. This exploit yet again uses the NSA tools dumped by “The Shadow Brokers”. However, while WannaCry used an unsophisticated code, the more recent malware detections like Adylkuzz and EternalRocks are believed to be far more advanced.

Pandora’s Box

The initial dump of NSA linked hacking tools has opened a veritable Pandora’s box to hackers and affiliated groups worldwide, not to mention rumors of other international spying agencies taking note. While some debate whether it was North Korean groups with links to the hermit kingdom or not which created WannaCry, the point seems almost moot considering a number of new attack campaigns which leverage the dumped tools. EternalRocks uses several of the dumped tools which exploit the now infamous SMB zero day in Window’s older operating systems. Stamper discovered that EternalRocks uses EternalBlue, EternalChampion, EternalRomance, and EternalSynergy to compromise vulnerable systems while it uses SMBTouch and ArchiTouch for reconnaissance purposes. Once the worm has gained a foothold in a vulnerable system it then uses DoublePulsar to spread to other vulnerable machines.

Those following recent developments on the cyber-threat front will be fairly tired of reading the words EternalBlue and DoublePulsar by now. Since they have become part of the global discussion it is now only a matter of time before a band or house DJ decides it will be a great name or stage persona. Jokes aside, it was EternalBlue and DoublePulsar that thrust WannaCry from a purely amateur ransomware attempt to the ransomware that would critically endanger the British National Health Service. As a worm, although EternalRocks utilizes far more of these tools, it is deemed less dangerous than WannaCry as it does not deliver any malicious content once deployed.

eternalrocks exploit

The Cyber Arms Race Continues

Although it may appear now to be fairly harmless, it employs some cunning and sophisticated features. It currently features a two-stage installation process. Once initially installed the worm downloads Tor client which then signals to a C&C server located at a .onion domain made infamous by the Darkweb. After 24 hours the second stage begins when the C&C server responds. Once the server responds it downloads an archive titled shadowbrokers.zip which contains the SMB exploits, then the worm begins to rapidly scan for random IP addresses to connect to.

Researchers believe this an attempt to avoid detection and can potentially avoid sandbox security testing. Most worms and malware rely on slash and burn tactics to have the biggest effect in the shortest time possible. Encountering one that is essentially patient is rare and ominous. The creators of EternalRocks also employ another trick in an attempt to have it misclassified and hence avoid further detection. It uses the same files with identical names to WannaCry. Unlike WannaCry, Eternal Blue appears to have no kill switch domain, potentially meaning that if it becomes suddenly weaponised the results could be far more devastating to already infected systems and vulnerable ones.

Currently Not Weaponised

EternalRocks, although far more advanced and cunning than WannCry, is currently not weaponised. This does not mean that it cannot be weaponized. Experts concur that this can be done in an instant with it being either utilized as ransomware, a banking Trojan, or RAT. At first glance, it appears to researchers that EternalRocks is an experiment or test for a potential future attack. While not currently weaponised the worm is by no means harmless, machines infected by the worm are controllable C&C server commands, thus the creator could leverage this communications channel to send new malware. It is also worth considering that the creator has taken no measure to protect the DoublePulsar implant and it remains running. This essentially allows other threat actors to utilize this backdoor and send their own malware to already infected machines. It is becoming imperative for administrators to patch systems if they have not already.

shadow brokers NSA dumped tools

Broken Record

While these new worms still use the hacking tools mentioned above, experts and researchers who prophesied that WannaCry was not the end but merely the beginning was right. It wasn’t looking into tea leaves to determine the future rather the nature of the threat landscape and past attacks that determined that this would happen. One of the silver linings from this period will hopefully be more frank talks around the threats posed by state-sponsored entities with near limitless budgets, or at least budgets criminal organizations can only dream of, creating hacking tools for the supposed greater good. While the media storm around the recent attack campaigns will eventually die down it will be up to the public to demand greater transparency from their governments and to the extent that tools used for information gathering, or spying, are regulated to prevent abuses.

The current debate centers around who is at fault, as it would inevitably degrade into who can shout the longest about who is wrong. One fact though remains and that is that the worms which utilized the NSA dumped tools would not be worth consideration if not utilizing the tools and exploits. One sounds like a broken record reminding of the importance of patching, making sure machines are up to date, and the plethora of EternalSomethingorother names keep coming up. The argument needs to shift from blame to why the public allows state institutions to act like criminals under the assumption that it is for our security. With another potential dump of more NSA exploits on the horizon, it would be better to have this argument sooner rather than later.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal