A Croatian researcher has uncovered a new worm that employs seven leaked NSA hacking tools to do its thing. It presents a potential threat that could have far worse consequences than WannaCry, even though it shares characteristics with the now-infamous ransomware.
It is, so far, not weaponized—but it could be at any moment, according to Miroslav Stampar, who is a member of the Croatian Government CERT. For now, it’s just code that propagates itself, but the C&C servers can send infected machines whatever command they choose at any time, including commands to download additional malware.
"The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer. "Once infected, he can weaponize any time he wants, no matter the late patch."
EternalRocks targets computers that have exposed, unpatched SMB ports (of which there are many), and infects them using six unique NSA tools: EternalBlue, EternalChampion, EternalRomance and EternalSynergy for initial compromise; and SMBTouch and ArchiTouch for SMB reconnaissance. The seventh tool, DoublePulsar, is used to spread to new machines and remains on infected ones as an implant. It is open by default, meaning that other bad actors can use DoublePulsar as a backdoor for any of the machines it has infected.
Stampar told the media that EternalRocks is also quite stealthy—after it infects a machine, it waits a full 24 hours before talking to the C&C infrastructure in a bid to evade researcher analysis and sandboxing. It also does not include a kill switch domain, like the one used to temporarily defang WannaCry.
All of these tools are from the cache that the Shadow Brokers have made public. The now-infamous WannaCry ransomware also used two of these tools, EternalBlue and DoublePulsar.
This is unlikely the last malware that will be built using the tools. Even though Microsoft announced that the leaked weapons don’t work against supported products, unsupported systems like XP or those who aren’t up-to-date with their patches are wide open. The bad guys have taken notice: Recorded Future recently revealed plenty of interest and chatter in Russian and Chinese darknet forums, with several tools, including EternalBlue, having been reversed engineered.
“Chinese-speaking actors additionally focused on the unique malware trigger point and some claimed that the patches for CVE-2017-0143 through -0148 were insufficient because they did not address the base code weaknesses,” Recorded Future said.