‘Bigger than WannaCry’: New malware employs 7 NSA exploits, expert warns
Seven cyber exploits purportedly stolen from the US National Security Agency (NSA) have been identified in 'EternalRocks', a new type of malware detected by a Croatian tech security advisor.
Similar to the WannaCry malware which struck hundreds of thousands of computers worldwide this month, EternalRocks apparently draws on NSA-identified network exploits EternalBlue, EternalChampion, EternalRoman, and EternalSynergy.
Info on (new) EternalRocks worm can be found on https://t.co/oahygJdhSi. Will keep it updated, along with @_jsoo_
— Miroslav Stampar (@stamparm) May 18, 2017
The worm utilizes DoublePulsar, Architouch and SMBtouch, a series of tools released in an apparent NSA leak by hacking group ShadowBrokers.
READ MORE: WannaCry XXL? 2nd even bigger global cyber attack already underway
The virus’s characteristics were identified by Miroslav Stampar, a Croatian security expert for the country’s Computer Emergency Response Team (CERT). He is also listed as a Croatian chapter member of the Honeynet Project, a volunteer network for “security research.”
Just captured 406ac1595991ea7ca97bc908a6538131 and 5c9f450f2488140c21b6a0bd37db6a40 in MS17-010 honeypot. MSIL/.NET #WannaCry copycat(s) pic.twitter.com/VVMrAg0Gib
— Miroslav Stampar (@stamparm) May 17, 2017
In a breakdown published online, Stampar outlines how the “cyberweapon” downloads in two separate stages, with the second running 24 hours later to avoid detection.
“After about six to eight hours of analysis, I found how to provoke the second stage,” said Stampar when contacted by RT.com. “I got kind of excited and scared as somebody had successfully, and professionally, packed all SMB exploits from ShadowBroker’s dump.
“I predicted that something bigger than WannaCry is coming,” he added.
Stampar explains that EternalRocks sits anonymously on the target device, but can be activated later for more malicious purposes: “It’s sole purpose at this moment is propagation and waiting for further command and control updates. As I see it, it is a prelude,” he said.
Conclusion: delayed downloader for https://ubgdgno5eswkhmpy[.]onion/updates/download?id=PC which seem to be a full scale cyber weapon
— Miroslav Stampar (@stamparm) May 18, 2017
Microsoft was forced to patch discontinued operating systems earlier this month after WannaCry exploited vulnerabilities in its software.
READ MORE: Microsoft releases urgent OS patch in wake of #WannaCry ransomware blitz
The patch came after more than 200,000 devices became infected with WannaCry, which encrypts computer files and demands victims to pay a ransom for their release. The wide-reaching ransomware blitz crippled parts of the UK National Health Service.
Last week, Quarkslab security advisor Adrien Guinet released information about a method for decrypting WannaCry. The ‘WannaKey’ tool was published to Github but only helps users with the Windows XP operating system.