EternalRocks leaves backdoor trojan for remote access to infected machines

Share and earn Cybytes
Facebook Twitter LinkedIn Email

What we know so far

The WannaCry ransomware worm outbreak from last Friday week used just one of the leaked NSA exploit tools, ETERNALBLUE, which exploits vulnerabilities in the SMBv1 file sharing protocol.

On Wednesday security researcher Miroslav Stampar, member of the Croatian Government CERT, who created infamous sqlmap (SQL injection pentesting tool), detected a new self-replicating worm which also spreads via several SMB vulnerabilities. This worm, dubbed EternalRocks uses seven leaked NSA hacking tools to infect a computer via SMB ports exposed online.

Unlike WannaCry, EternalRocks has no kill switch to stop the code from executing. It uses some files with the same names as WannaCry to try to fool security researchers into thinking it is WannaCry.

EternalRocks analysis

  • Spreads via SMB ports exposed online
  • SMB reconnaissance tools SMBTOUCH and/or ARCHITOUCH are used to scan for open SMB ports on the public internet
  •  If open ports are found then one of 4 SMB exploit tools, which target different vulnerabilities in the Microsoft SMB file sharing protocol, are used to get inside the network:
    • ETERNALBLUE (SMBv1 exploit tool)
    • ETERNALCHAMPION (SMBv2 exploit tool)
    • ETERNALROMANCE (SMBv1 exploit tool)
    • ETERNALSYNERGY (SMBv3 exploit tool)
  • Once inside EternalRocks downloads the Tor web browser, which supposedly*allows you to browse the web anonymously and access sites hosted on the Dark Web which cannot be accessed from normal web browsers like Chrome, IE, or Firefox.
  • Downloads .net components which will be used later
  • Tor connects to a C&C server on the Dark Web
  • After a delay, currently set to 24 hours, the C&C server responds and an archive containing the 7 SMB exploits are downloaded. This delay is likely to avoid sandboxing techniques
  • Next the worm scans the internet for open SMB ports – to spread the infection to other organizations.

*It is questionable just how anonymous Tor really is considering that almost everyone involved in developing Tor was funded by the US Government.

The Good News

EternalRocks does not appear to have been weaponized (yet). No malicious payload – like ransomware – is unleashed after infecting a computer.

The Bad News

Even if SMB patches are retroactively applied machines infected by the EternalRocks worm are left remotely accessible via the DOUBLEPULSAR backdoor trojan. The DOUBLEPULSAR (backdoor trojan) installation left behind by EternalRocks is wide open. Whether on purpose or not the result is that other hackers could use DOUBLEPULSAR to access machines infected by EternalRocks.

What you should do

Block external access to SMB ports on the public internet

  • Patch all SMB vulnerabilities
  • Block access to C&C servers (ubgdgno5eswkhmpy.onion) and block access to while you are at it
  • Monitor for any newly added scheduled tasks
  • A DOUBLEPULSAR detection script is available on Github
  • Make sure DatAlert Analytics is up to date monitoring your organization for insider threats

For detailed information on EternalRocks check out the repository setup by Stampar a few days ago on GitHub.

The post EternalRocks leaves backdoor trojan for remote access to infected machines appeared first on Varonis Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Varonis
Varonis is a pioneer in data security and analytics, fighting a different battle than conventional cybersecurity companies. Varonis focuses on protecting enterprise data on premises and in the cloud: sensitive files and emails; confidential customer, patient and employee data; financial records; strategic and product plans; and other intellectual property. The Varonis Data Security Platform detects insider threats and cyberattacks by analyzing data, account activity and user behavior; prevents and limits disaster by locking down sensitive and stale data; and efficiently sustains a secure state with automation. With a focus on data security, Varonis serves a variety of use cases including governance, compliance, classification, and threat analytics. Varonis started operations in 2005 and, as of December 31, 2017, had approximately 6,250 customers worldwide — comprised of industry leaders in many sectors including technology, consumer, retail, financial services, healthcare, manufacturing, energy, media, and education.
Promoted Content
Varonis Earn & Learn Email Series
Is your CISSP up to date? We’re here to help! Earn Continual Professional Education (CPE) credits with our free CPE track. We’ll send you CPE-credit worthy content each month: earn 2 CPE credits per month, learn from top industry experts, and get real world security content to take your skills to the next level. Enrollment is free – and so is all our great CPE content! This program includes: - On demand webinars that fit your busy schedule - Podcasts from top influencers in security and privacy - Video tutorials with relevant, real world security content to take your skills next level and more!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?