CALL US

+91 8219776763

WannaCry Uses 2 NSA Hacking Tools, Where Newly Found Malware Uses 7 | Cyberops

WannaCry Uses 2 NSA Hacking Tools, Where Newly Found Malware Uses 7

By Prempal Singh 0 Comment May 23, 2017

A security researcher has determined a new strain of malware that also spreads itself by exploiting flaws in Glass windows SMB file sharing process, but unlike the WannaCry Ransomware that uses only two leaked NSA cracking tools, it exploits all the seven.

Last week, we warned you about multiple hacking groups applying leaked NSA hacking tools, but the majority of them were making use of only two tools: EternalBlue and DoublePulsar.

Now, Miroslav Stampar, a security researcher who created famous ‘sqlmap’ tool and today a member of the Croatian Government CERT, has uncovered a new network worm, dubbed EternalRocks, which is more dangerous than WannaCry and does not have any kill-switch in it.

As opposed to WannaCry, EternalRocks appears to be created to function secretly in order to ensure that it remains undetectable on the damaged system.

However, Stampar learned of EternalRocks after it infected his SMB honeypot.

The NSA makes use of employed by EternalRocks, which Stampar called “DoomsDayWorm” on Tweets, includes:

  • EternalBlue — SMBv1 exploit tool
  • EternalRomance — SMBv1 exploit tool
  • EternalChampion — SMBv2 exploit tool
  • EternalSynergy — SMBv3 exploit tool
  • SMBTouch — SMB reconnaissance tool
  • ArchTouch — SMB reconnaissance tool
  • DoublePulsar — Backdoor Trojan

Whereas EternalBlue, EternalChampion, EternalSynergy, and EternalRomance are SMB exploits, designed to bargain vulnerable Windows computers.

And, DoublePulsar can then be used to spread the worm from one damaged computers to the other vulnerable machines across the same network.

Stampar found that EternalRocks disguises itself as WannaCry to fool security experts, but rather than dropping ransomware, it gains unauthorized control on the damaged computer to launch future internet attacks.

Here’s How EternalRocks Attack Works:

EternalRocks set up takes place in a two-stage process.

During the first stage, EternalRocks downloading the Tor web browser on the damaged computer systems, which is then used to hook up to the command-and-control (C&C) server situated on the Tor network on the Dark Web.”First level malware UpdateInstaller.

“First level malware UpdateInstaller. exe (got through remote exploitation with second stage malware) downloads available necessary. NET components (for later stages) TaskScheduler and SharpZLib from the Net, while dropping svchost. exe (e. g. sample) and taskhost. exe (e. g. sample), ” Stampar says.

According to Stampar, the second stage has a hold off of 24 hours so that they can avoid sandboxing techniques, making the worm infection undetectable.

Following 24 hours, EternalRocks responds to the C&C machine with an archive that contains the seven Windows SMB exploits mentioned above.”Component svchost. exe {can be used|is employed} for downloading, unpacking and {operating|working|jogging} Tor from archive. torproject. org along with C&C (ubgdgno5eswkhmpy. onion) communication {asking for|seeking|requiring} further instructions (e. g. installing of new components), ” Stampar adds.

“Component svchost. exe is employed for downloading, unpacking and operating Tor from the archive. torproject. org along with C&C (ubgdgno5eswkhmpy. onion) communication requiring further instructions (e. g. installing new components), ” Stampar adds.

Almost all the seven SMB uses then downloaded to the infected computer. EternalRocks then scans the internet for open SMB slots to spread itself to other vulnerable systems as well.

Source: thehackersnews.com

error: Content is protected by Cyberops !!