‘Bigger than WannaCry’: New malware employs 7 NSA exploits, expert warns
Similar to the WannaCry malware which struck hundreds of thousands of computers worldwide this month, EternalRocks apparently draws on NSA-identified network exploits EternalBlue, EternalChampion, EternalRoman, and EternalSynergy.
The worm utilizes DoublePulsar, Architouch and SMBtouch, a series of tools released in an apparent NSA leak by hacking group ShadowBrokers.
The virus’s characteristics were identified by Miroslav Stampar, a Croatian security expert for the country’s Computer Emergency Response Team (CERT). He is also listed as a Croatian chapter member of the Honeynet Project, a volunteer network for “security research.”
In a breakdown published online, Stampar outlines how the “cyberweapon” downloads in two separate stages, with the second running 24 hours later to avoid detection.
“After about six to eight hours of analysis, I found how to provoke the second stage,” said Stampar when contacted by RT.com. “I got kind of excited and scared as somebody had successfully, and professionally, packed all SMB exploits from ShadowBroker’s dump.
“I predicted that something bigger than WannaCry is coming,” he added.
Stampar explains that EternalRocks sits anonymously on the target device, but can be activated later for more malicious purposes: “It’s sole purpose at this moment is propagation and waiting for further command and control updates. As I see it, it is a prelude,” he said.
Conclusion: delayed downloader for https://ubgdgno5eswkhmpy[.]onion/updates/download?id=PC which seem to be a full scale cyber weapon— Miroslav Stampar (@stamparm) May 18, 2017
Microsoft was forced to patch discontinued operating systems earlier this month after WannaCry exploited vulnerabilities in its software.
The patch came after more than 200,000 devices became infected with WannaCry, which encrypts computer files and demands victims to pay a ransom for their release. The wide-reaching ransomware blitz crippled parts of the UK National Health Service.
Last week, Quarkslab security advisor Adrien Guinet released information about a method for decrypting WannaCry. The ‘WannaKey’ tool was published to Github but only helps users with the Windows XP operating system.