A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the
WannaCry Ransomwarethat uses only two leaked
NSA hacking tools, it exploits all the seven.
Last week, we warned you about multiple
hacking groups exploitingleaked NSA hacking tools, but almost all of them were making use of only two tools: EternalBlue and DoublePulsar.
Now, Miroslav Stampar, a security researcher who created famous 'sqlmap' tool and now a member of the Croatian Government CERT, has discovered a new network worm, dubbed
EternalRocks, which is more dangerous than WannaCry and has no kill-switch in it.
Unlike WannaCry,
EternalRocksseems to be designed to function secretly in order to ensure that it remains undetectable on the affected system.
However, Stampar learned of EternalRocks after it infected his
SMB honeypot.
The NSA exploits used by EternalRocks, which Stampar called "
DoomsDayWorm" on
Twitter, includes:
- EternalBlue — SMBv1 exploit tool
- EternalRomance — SMBv1 exploit tool
- EternalChampion — SMBv2 exploit tool
- EternalSynergy — SMBv3 exploit tool
- SMBTouch — SMB reconnaissance tool
- ArchTouch — SMB reconnaissance tool
- DoublePulsar — Backdoor Trojan
As we have
mentionedin our previous articles, SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for open SMB ports on the public internet.
Whereas
EternalBlue, EternalChampion, EternalSynergy and EternalRomance are SMB exploits, designed to compromise vulnerable Windows computers.
And, DoublePulsar is then used to spread the worm from one affected computers to the other vulnerable machines across the same network.
Stampar
foundthat EternalRocks disguises itself as WannaCry to fool security researchers, but instead of dropping ransomware, it gains unauthorized control on the affected computer to launch future cyber attacks.
Here's How EternalRocks Attack Works:
EternalRocks installation takes place in a two-stage process.
During the first stage, EternalRocks downloads the Tor web browser on the affected computers, which is then used to connect to its command-and-control (C&C) server located on the Tor network on the Dark Web.
"First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from the Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample)," Stampar says.
According to Stampar, the
second stagecomes with a delay of 24 hours in an attempt to avoid sandboxing techniques, making the worm infection undetectable.
After 24 hours, EternalRocks responds to the C&C server with an archive containing the seven Windows SMB exploits mentioned above.
"Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components)," Stampar adds.
All the seven SMB exploits are then downloaded to the infected computer. EternalRocks then scans the internet for open SMB ports to spread itself to other vulnerable systems as well.
अभी तो बहुत 'भसड़' होने वाली है!
If you are following The Hacker News coverage on WannaCry Ransomware and the Shadow Brokers leaks, you must be aware of the hacking collective's new announcement of
releasing new zero-days and exploitsfor web browsers, smartphones, routers, and Windows operating system, including Windows 10, from next month.
The exclusive access to the upcoming leaks of zero-days and exploits would be given to those buying subscription for its 'Wine of Month Club.' However, the Shadow Brokers has not yet announced the price for the subscription.
Since the hackers and state-sponsored attackers are currently waiting for new zero-days to exploit, there is very little you can do to protect yourself from the upcoming cyber attacks.
If you want to know every minute update about the latest cyber threats before they hit your system, make sure you are following The Hacker News on Twitter and Facebook, or subscribe to our newsletter.
from The Hacker News http://ift.tt/2qcmYVI
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.