Massive Campaign Malware Eternalrocks

EternalRocks Worm

Yesterday, 22nd May 2017, a massive campaign of Malware EternalRocks has been identified.

Actually we don’t know the real malware spread.

EternalRocks appears an evolution of ransomware WannaCry family, but this malware has been developed with the purpose to be silent on victim systems.

This malware uses an higher number of Exploit to spread.

In particular this malware uses SMB exploit: ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY oltre ai codici collegati: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH.

In detail:

  • EternalBlue — SMBv1 exploit tool
  • EternalRomance — SMBv1 exploit tool
  • EternalChampion — SMBv2 exploit tool
  • EternalSynergy — SMBv3 exploit tool
  • SMBTouch — SMB reconnaissance tool
  • ArchTouch — SMB reconnaissance tool
  • DoublePulsar — Backdoor Trojan

SMBTouch and ArchTouch are scan tools used to find SMB ports open on Internet.

EternalBlueEternalChampioEternalSynergy and EternalRomance are exploits for SMB, developed in order to damage Windows vulnerable versions, exploiting DoublePulsar to diffuse inside internal network on other vulnerable systems identified.

 

Actually there aren’t enough information to identify attack vector used by attackers to spread malware; probably attack vector used is e-mail or directly on SMB TCP/445 port.

Threat entity is critical because malware exploits a SMB v1 protocol vulnerability to spread on internal network trough exploit widespread by “ShadowBroker” during toolkit NSA leak.

This malware acts in 2 stadiums:

  • First stadium: UpdateInstaller.exe downloads needed .NET components for further steps.

It downloads TaskScheduler and SharpZLib from Internet, at the same time inserts code in svchos.exe and taskhost.ex. svchost.exe is used to download, extract and execute Tor from archive.torproject.org with command and control communication direct to link e.i. (ubgdgno5eswkhmpy.onion) in order to request other components.

After a first execution, it downloads exploit pack shadowbrokers.zip preparing the environment. At the end of this step, it will start a random open ports 445 (SMB) scan in order to continue diffusion.

 

Vulnerability has been patched in March 2017 by Microsoft on Microsoft Windows systems thanks to MS17-010 security bullentin. 

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

It’s possible to protect your internal infrastructure adopting following precautions:

  • (Suggested)

Install patch realeased in Microsoft MS17-010 security bulletin of March, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  • (Alternative)

Disable SMB v1 protocol: protocol SMB version 1 is old and not secure. If it’s possible, disable it. 

 

Following Malware EternalRocks IoC:

First stage:

 

FileHash

e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc # UpdateInstaller.exe (captured)

FileHash

1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d # UpdateInstaller.exe (variant)

FileHash

64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15 # UpdateInstaller.exe (variant)

FileHash

94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97 # UpdateInstaller.exe (variant)

FileHash

9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b # UpdateInstaller.exe (variant)

FileHash

a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392 # UpdateInstaller.exe (variant)

FileHash

ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa # UpdateInstaller.exe (variant)

FileHash

b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867 # UpdateInstaller.exe (variant)

FileHash

c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491 # UpdateInstaller.exe (variant)

FileHash

d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c # UpdateInstaller.exe (variant)

FileHash

d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5 # UpdateInstaller.exe (variant)

FileHash

fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd # UpdateInstaller.exe (variant)

 

 

Second stage:

 

FileHash

cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30 # taskhost.exe (captured)

FileHash

a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0 # taskhost.exe (variant)

FileHash

70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d # shadowbrokers.zip (exploits)

One of Command & Control server identified is: ubgdgno5eswkhmpy.onion

 

As Network & Security Company, Sorint.SEC is able to offer information security services in order to guarantee an advanced protection to different and complex infrastructures.

In particular Sorint.SEC offers Managed Next Generation EndPoint Protection services in order to increase company protection against advanced threats direct to EndPoints.

More information about managed protection, offered by Sorint.SEC, are available to following links:

https://sec.sorint.it/en/managedendpointprotection

https://sec.sorint.it/en/soc

 

Following useful links to better understand this threat: