Massive Campaign Malware Eternalrocks

Yesterday, 22nd May 2017, a massive campaign of Malware EternalRocks has been identified.

Actually we don’t know the real malware spread.

EternalRocks appears an evolution of ransomware WannaCry family, but this malware has been developed with the purpose to be silent on victim systems.

This malware uses an higher number of Exploit to spread.

In particular this malware uses SMB exploit: ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY oltre ai codici collegati: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.

In detail:

• EternalBlue — SMBv1 exploit tool
• EternalRomance — SMBv1 exploit tool
• EternalChampion — SMBv2 exploit tool
• EternalSynergy — SMBv3 exploit tool
• SMBTouch — SMB reconnaissance tool
• ArchTouch — SMB reconnaissance tool
• DoublePulsar — Backdoor Trojan

SMBTouch and ArchTouch are scan tools used to find SMB ports open on Internet.

EternalBlue, EternalChampio, EternalSynergy and EternalRomance are exploits for SMB, developed in order to damage Windows vulnerable versions, exploiting DoublePulsar to diffuse inside internal network on other vulnerable systems identified.

Actually there aren’t enough information to identify attack vector used by attackers to spread malware; probably attack vector used is e-mail or directly on SMB TCP/445 port.

Threat entity is critical because malware exploits a SMB v1 protocol vulnerability to spread on internal network trough exploit widespread by “ShadowBroker” during toolkit NSA leak.

This malware acts in 2 stadiums:

• First stadium: UpdateInstaller.exe downloads needed .NET components for further steps.

It downloads TaskScheduler and SharpZLib from Internet, at the same time inserts code in svchos.exe and taskhost.ex. svchost.exe is used to download, extract and execute Tor from archive.torproject.org with command and control communication direct to link e.i. (ubgdgno5eswkhmpy.onion) in order to request other components.

• Second Stadium: taskhost.exe is downloaded and execute after a default period (24h) for example from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC.

After a first execution, it downloads exploit pack shadowbrokers.zip preparing the environment. At the end of this step, it will start a random open ports 445 (SMB) scan in order to continue diffusion.

Vulnerability has been patched in March 2017 by Microsoft on Microsoft Windows systems thanks to MS17-010 security bullentin. 

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

It’s possible to protect your internal infrastructure adopting following precautions:

• (Suggested)

Install patch realeased in Microsoft MS17-010 security bulletin of March, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

• (Alternative)

Disable SMB v1 protocol: protocol SMB version 1 is old and not secure. If it’s possible, disable it. 

Following Malware EternalRocks IoC:

One of Command & Control server identified is: ubgdgno5eswkhmpy.onion

As Network & Security Company, Sorint.SEC is able to offer information security services in order to guarantee an advanced protection to different and complex infrastructures.

In particular Sorint.SEC offers Managed Next Generation EndPoint Protection services in order to increase company protection against advanced threats direct to EndPoints.

More information about managed protection, offered by Sorint.SEC, are available to following links:

https://sec.sorint.it/en/managedendpointprotection

https://sec.sorint.it/en/soc

Following useful links to better understand this threat:

• https://github.com/stamparm/EternalRocks
• http://www.securityweek.com/eternalrocks-network-worm-leverages-7-nsa-hacking-tools
• https://nakedsecurity.sophos.com/2017/05/22/after-wannacry-eternalrocks-digs-deeper-into-the-nsas-exploit-toolbox/
• http://thehackernews.com/2017/05/smb-windows-hacking-tools.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29