Unlike WannaCry which exploits two SMB vulnerabilities, EternalRocks is a doomsday worm that exploits seven SMB vulnerabilities in Windows.
"There are only two types of companies, those that have been hacked and those that will be." - Robert Mueller, FBI Director
While the world has preparing for another WannaCry attack which exploits only two SMB vulnerabilities in Windows called EternalBlue and DoublePulsar, researchers have discovered one more malware recently which actually exploits seven SMB vulnerabilities in Windows.
The seven vulnerabilities are:
EternalBlue — SMBv1 exploit tool.
EternalRomance — SMBv1 exploit tool.
EternalChampion — SMBv2 exploit tool.
EternalSynergy — SMBv3 exploit tool.
SMBTouch — SMB reconnaissance tool.
ArchTouch — SMB reconnaissance tool.
DoublePulsar — Backdoor Trojan.
Miroslav Stampar, a security researcher at Croatian Government CERT, first discovered this malware called EternalRocks which is far more dangerous than WannaCry and has no kill switch.
Unlike WannaCry, EternalRocks is designed to stay undetectable on affected systems. Stamper identified this worm after it hit his SMB honeypot. While EternalBlue, EternalChampion, EternalSynergy, and EternalRomance are designed to exploit vulnerable computers, DoublePulsar is used to spread the worm from one affected computer to other vulnerable computers across networks. Stampar found that EternalRocks disguises itself as WannaCry to fool security professionals, but instead of locking your files and asking for a ransom, it gains unauthorized control on the infected computer to launch future cyberattacks.
How Does EternalRocks Work?
EternalRocks installation happens in 2 stages.
Stage 1: Once EternalRock hits a computer, it downloads a Tor browser on that computer, which it later connects with a command and control (C&C) server located in an unidentified location on the web.
Stage 2: EternalRock stays where it is for 24 hours to avoid unnecessary attraction, then it communicates with the C&C server; this is where the worm reshapes into a beast. An archive containing all 7 exploits is shared the with C&C server, then a component called svchost.exe is used for downloading and executing all other actions to take over the affected system. Then this worm starts finding open SMB ports for infecting other vulnerable computers in the network.
Secure Your Network With Seamless Patch Management
"Cybersecuirty is a shared responsibility and it boils down to this: In cybersecurity the more systems we secure, the more secure we all are." - Jeh Johnson
With a lot of new malware being unleashed day by day after WannaCry, enterprises are looking for security solutions which can help them stay secure in spite of all these attacks. Experts suggest employing proper patch management procedures, which can keep your network and devices stay safe from any unwanted security breaches.
When malware like WannaCry, Adylkuzz, and EternalRocks have started flowing into world networks, security teams have to keep up with this trend to know how exactly these threats are capitalizing on vulnerabilities and hijacking your computers. Stay ahead of the storm.