A security researcher has discovered a repackaged exploit of a total of 7 NSA cyberweapons in a cluster called ‘EternalRockets’.
This month’s unprecedented cyberattack by the WannnaCry ransomware worm has impacted over 300,000 machines around the world, using the NSA’s EternalBlue and DoublePulsar exploits. Dwarfing it in its scale, ‘EternalRocks’ has an arsenal of a total of seven NSA cyberweapons. The worrying part? It is still unclear what the ultimate goal of the exploit could be.
First discovered by Miroslave Stampar, IT security advisor and a cybersecurity expert for the Croatian Government’s CERT, the package was found residing in an SMB honeypot. Upon analysis, Stampard discovered that it used four NSA-developed SMB exploits, specifically: EternalBlue, EternalChampion, EternalRomance and EternalSynergy, to gain access. The malware also used two NSA tools for reconnaissance with SMBTouch and ArchiTouch. Ultiamtely, DoublePulsar was used to propagate the spread of the infection.
Starting with EternalBlue, the malware exploit package runs a multistage process that includes contacting a command and control server (C&C) using Tor to install additional components.
Stampard wrote in a GitHub post:
After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on [the] internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from first stage to get further instructions from C&C.
After downloading Tor’s private browser, the malware sends a signal to its hidden servers. Unlike WannaCry, which alerts victims of the infection for a ransom demand, EternalRocks waits discreetly for a day before getting that ping back from the server to then download and self-replicate itself.
Due to its stealthy capabilities, the spread and size of EternalRocks’ compromised machines is unclear. As is the possible weaponized end-product of the malware.