Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

EternalRocks Network Worm Leverages 7 NSA Hacking Tools

EternalRocks Worm Uses NSA Exploits to Compromise Systems and Install DoublePulsar Backdoor

A recently discovered network worm leverages a total of seven hacking tools stolen from the National Security Agency (NSA)-linked Equation Group.

EternalRocks Worm Uses NSA Exploits to Compromise Systems and Install DoublePulsar Backdoor

A recently discovered network worm leverages a total of seven hacking tools stolen from the National Security Agency (NSA)-linked Equation Group.

Dubbed EternalRocks and capable of self-replication, the threat emerged over the past couple of weeks, with the most recent known sample dated May 3. The malware was discovered by security researcher Miroslav Stampar, who also found that the tool was initially called MicroBotMassiveNet.

The seven NSA hacking tools included in the network worm include the EternalBlue, EternalChampion, EternalRomance, and EternalSynergy exploits, along with the DoublePulsar backdoor and the Architouch, and Smbtouch SMB reconnaissance tools.

The exploits were made public in April by the hacker group going by the name of Shadow Brokers and are said to have been stolen from the NSA-linked threat actor Equation Group last year. Within days after the tools were released, Microsoft said that it had already patched the vulnerabilities targeted by the exploits with its March 2017 security updates.

However, because not all vulnerable devices have been patched, these exploits continue to be effective, and the recent WannaCry ransomware outbreak is the best example of that. The WannaCry malware abused the EternalBlue exploit for distribution, and other threats did the same, including the UIWIX ransomware, Adylkuzz botnet, and a stealth Remote Access Trojan.

The EternalRocks worm is yet another malicious program attempting to cash in on the release of these exploits. Its purpose seems pretty straightforward: it compromises systems to install the DoublePulsar backdoor on them.

The worm uses a two-stage infection process to deliver its payload, but appears to be more of a research project at the moment than an actual malicious tool.

Advertisement. Scroll to continue reading.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from Internet, while dropping svchost.exe and taskhost.exe. Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (command and control) communication requesting further instructions,” Stampar notes.

The second-stage payload is downloaded only after a 24-hour period has passed, and is hidden as the taskhost.exe process. The payload drops the exploit pack shadowbrokers.zip, unpacks contained directories payloads/, configs/ and bins/, and then starts a random scan of opened 445 (SMB) ports on the Internet.

EternalRocks also runs contained exploits (inside directory bins/) and pushes the first stage malware through payloads (inside directory payloads/). Moreover, the running Tor process continues to wait for further instructions from the C&C.

In an emailed comment, Michael Patterson, CEO of Plixer, told SecurityWeek that EternalRocks, currently the “first known malware incorporating all seven of the NSA hacking tools,” is clearly a more stealthy tool, given its delayed Tor communication and that administrators looking to keep their systems safe from this threat might have already lost the battle with it.

“Once a device is infected, applying a subsequent patch does not remove the malware. The most effective way for security teams to monitor for any infected devices is to leverage network traffic analytics to look for any historical Tor connections leaving the organization,” Patterson said.

“The race to detect and stop all malware was lost years ago. Organizations must constantly monitor their environments for anomalous behaviors, maintain a historical forensic database, and have a well-defined storage backup and recovery process for all critical data,” he concluded.

Related: NSA’s EternalBlue Exploit Fully Ported to Metasploit

Related: Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.