WannaCry has a new highly malicious successor, which has been identified as a worm spreading via SMB (Server Message Block). However, unlike WannaCry, which leveraged two of the leaked alleged NSA hacking tools, EternalRocks uses seven of the spy agencies' leaked cyberweapons.
The worm is highly potent, so much so that the security researcher who first discovered it – Miroslav Stampar, a member of the Croatian Government CERT – originally wanted to name it the DoomsDayWorm. Although EternalRocks shares several similarities with WannaCry, it has been designed to function far more secretly, in order to ensure that it remains undetectable.
EternalRocks uses 7 hacking tools and is more complex
EternalRocks uses six of the NSA's SMB-based cyber tools to infect systems. BleepingComputer reported that the NSA tools used by the worm are EternalBlue, EternalChampion, EternalSynergy and EternalRomance – all of which are SMB exploits used to hack into computers. The worm also leverages the two NSA SMB reconnaissance tools SMBTouch and ArchTouch to spy on infected computers. Finally, the worm spreads to other vulnerable systems using the DoublePulsar exploit.
The NSA tools were leaked by the Shadow Brokers hacker group in April, who, in the wake of the WannaCry attacks, threatened to dump ever more cyberweapons in the coming months. Security experts linked one of the exploits leaked by the Shadow Brokers called EternalBlue to the WannaCry attacks. Even as security researchers grappled with the ransomware outbreak and stop further such attacks, Microsoft publicly slammed the NSA over its practice of stockpiling cyberweapons, blaming it for the widespread ransomware attacks.
According to Bleeping Computer's report, although EternalRocks does not currently spread malicious content and can be considered less dangerous than WannaCry, it is far more dangerous than its predecessor, according to Stampar.
EternalRocks uses a two-stage installation process as part of its attack, with the second stage coming with a delayed initiation. This is so the worm can function even more secretively and avoid detection.
During the first stage, EternalRocks infects a system, downloads Tor and beacons its C&C (command and control) server located on the Tor network, in the dark web. The second stage of the attack begins after 24 hours, when the C&C server responds. This delayed attack technique has likely been incorporated to hoodwink security experts analysing the worm.
Additionally, infected computers keep running DoublePulsar, which comes with a backdoor feature. The attackers have not taken measures to protect the DoublePulsar implant, which is currently running in a default and unprotected state. This means that other hackers could also use the backdoor to compromise systems already infected by EternalRocks to install further malware.
EternalRocks has no kill switch and can be weaponised
The worm can potentially be instantaneously weaponised with ransomware, banking Trojans or RATs, since it uses a broader range of exploits. Although the worm currently appears to be in the development and testing stage, the danger of this new attack technique becoming the next major cyber threat remains very real.
More importantly, EternalRocks unlike WannaCry, does not come with a kill switch, which was what security experts used to stop the WannaCry attacks. This means that at present, there is no simple way to stop potential EternalRocks attacks.
SMB vulnerabilities have been increasingly targeted by hackers recently to launch large-scale attacks. New cyber threats leveraging SMB flaws continue to emerge everyday. It is therefore essential that systems be patched immediately to run the most recent and updated version of operating system.
"The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer in a private conversation. "Once infected, he can weaponise any time he wants, no matter the late patch."