Join Our Community!Join Our WhiteHat Group On facebook & Stay Updated.

EternalRocks SMB Worm Uses Seven NSA Hacking Tools

New EternalRocks SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

Analysts have recognized another worm that is spreading by means of SMB, yet not at all like the worm part of the WannaCry ransomware, this one is utilizing seven NSA devices rather than two.

The worm’s presence initially became exposed on Wednesday, after it contaminated the SMB honeypot of Miroslav Stampar, an individual from the Croatian Government CERT, and maker of the SQL delineate utilized for distinguishing and misusing SQL infusion imperfections.

EternalRocks utilizes seven NSA Tools

The worm, which Stamper named EternalRocks in view of worm executable properties found in one example, works by utilizing six SMB-driven NSA instruments to taint a PC with SMB ports uncovered on the web. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB misuses used to trade off helpless PCs, while SMBTOUCH and ARCHITOUCH are two NSA instruments utilized for SMB observation operations.

Once the worm has acquired this underlying a dependable balance, it then uses another NSA instrument, DOUBLEPULSAR, to spread to new helpless machines.

EternalRocks Properties details
EternalRocks Properties | Source: Bleepingcomputers


The WannaCry ransomware episode, which influenced more than 240,000 casualties, likewise utilized an SMB worm to contaminate PCs and spread to new casualties.

Not at all like EternalRocks, WannaCry’s SMB worm utilized ETERNALBLUE for the underlying trade-off, and DOUBLEPULSAR to proliferate to new machines.


EternalRocks is more perplexing yet less perilous

As a worm, EternalRocks is far less unsafe than WannaCry’s worm part, as it presently does not convey any noxious substance. This, nonetheless, does not imply that EternalRocks is less intricate. As indicated by Stamper, it’s really the inverse.


For one thing, EternalRocks is significantly more subtle than WannaCry’s SMB worm part. When it contaminates a casualty, the worm utilizes a two-arrange establishment prepare, with a postponed second stage.

Amid the main stage, EternalRocks picks up a decent footing on a tainted host, downloads the Tor customer, and reference points its C&C server, situated on an .onion area, the Dark Web.


Simply after a predefined timeframe — right now 24 hours — does the C&C server react. The part of this long postponement is most likely to sidestep sandbox security testing situations and security analysts investigating the worm, as not very many will sit tight an entire day for a reaction from the C&C server.


No Kill Switch Domain

Moreover, EternalRocks likewise utilizes records with indistinguishable names to the ones utilized by WannaCry’s SMB worm, in another endeavor to trick security scientists into misclassifying it. Yet, dissimilar to WannaCry, EternalRocks does exclude an off button space, the Achille’s heel that security specialists used to stop the WannaCry episode.


After the underlying lethargy time frame terminates and the C&C server reacts, EternalRocks goes into the second phase of its establishment procedure and downloads a moment organize malware segment as a document named


The name of this record is really clear as crystal, as it contains NSA SMB-driven endeavors spilled by the Shadow Brokers assemble in April 2017. The worm then begins a quick IP examining procedure and endeavors to interface with irregular IP addresses.


Shadowbroker Archive | Hacker Nucleus
Shadowbroker Archive | Hacker Nucleus

EternalRocks could be weaponized in a moment

In view of its more extensive adventure armory, the absence of an off button space, and due to its underlying lethargy, EternalRocks could represent a genuine danger to PCs with defenseless SMB ports presented to the Internet, if its creator could ever choose to weaponize the worm with ransomware, a saving money trojan, RATs, or whatever else.

At first look, the worm is by all accounts an analysis, or a malware creator performing tests and calibrating a future risk.

This, be that as it may, does not mean EternalRocks is safe. PCs tainted with this worm are controllable by means of C&C server summons and the worm’s proprietor could use this shrouded interchanges channel to send new malware to the PCs already contaminated by EternalRocks.


Moreover, DOUBLEPULSAR, an NSA embed with secondary passage highlights, stays running on PCs tainted with EternalRocks. Sadly, the worm’s creator has not taken any measures to secure the DOUBLEPULSAR embed, which keeps running in a default unprotected state, which means other danger performers could utilize it as a secondary passage to machines contaminated by EternalRocks, by sending their own malware to those PCs.

IOCs and more data on the worm’s contamination procedure are accessible in a GitHub repo Stampar set up a couple days back.

An SMB free-for-all

Presently, there are different on-screen characters examining for PCs running more established and unpatched renditions of the SMB administrations. Framework overseers have effectively paid heed and began fixing powerless PCs or impairing the old SMBv1 convention, gradually diminishing the quantity of defenseless machines that EternalRocks can contaminate.

Moreover, malware, for example, Adylkuzz additionally close down SMB ports, keeping further abuse from different dangers, likewise adding to lessening the quantity of potential focuses for EternalRocks and other SMB-chasing malware. Reports from Force point, Cyphort, and Secdo detail different dangers presently focusing on PCs with SMB ports.

In any case, the quicker framework overseers fix their frameworks the better. “The worm is dashing with chairmen to contaminate machines before they fix,” Stampar revealed to Bleeping Computer in a private discussion. “Once tainted, he can weaponize at whatever time he needs, regardless of the late fix.”

Image credits: Miroslav Stampar, BleepingComputer & Ana María Lora Macias



Leave a Reply