{"id":1185,"date":"2017-05-29T10:00:29","date_gmt":"2017-05-29T10:00:29","guid":{"rendered":"http:\/\/www.gtechbooster.com\/?p=1185"},"modified":"2026-01-03T15:31:50","modified_gmt":"2026-01-03T15:31:50","slug":"new-malware-in-the-shadows-uses-7-leaked-exploits","status":"publish","type":"post","link":"https:\/\/gtechbooster.com\/new-malware-in-the-shadows-uses-7-leaked-exploits\/","title":{"rendered":"New malware in the Shadows uses 7 leaked exploits"},"content":{"rendered":"\n

A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked NSA hacking tools, it exploits all the seven.<\/p>\n\n\n\n

\"\"<\/a><\/div><\/div>

Last week, we warned you about multiple hacking groups exploiting leaked NSA hacking tools, but almost all of them were making use of only two tools: EternalBlue and DoublePulsar.<\/p>\n\n\n\n

Now, Miroslav Stampar, a security researcher who created famous \u2018sqlmap\u2019 tool and now a member of the Croatian Government CERT, has discovered a new network worm, dubbed EternalRocks<\/strong>, which is more dangerous than WannaCry and has no kill-switch in it. Unlike WannaCry, EternalRocks<\/a> seems to be designed to function secretly in order to ensure that it remains undetectable on the affected system.<\/p>\n\n\n\n

However, Stampar learned of EternalRocks after it infected his SMB honeypot<\/a>.<\/p>\n\n\n\n

The NSA exploits used by EternalRocks, which Stampar called \u201cDoomsDayWorm<\/strong>\u201d on Twitter<\/a>, includes: <\/p>\n\n\n\n

    \n
  1. EternalBlue \u2014 SMBv1 exploit tool<\/li>\n\n\n\n
  2. EternalRomance \u2014 SMBv1 exploit tool<\/li>\n\n\n\n
  3. EternalChampion \u2014 SMBv2 exploit tool<\/li>\n\n\n\n
  4. EternalSynergy \u2014 SMBv3 exploit tool<\/li>\n\n\n\n
  5. SMBTouch \u2014 SMB reconnaissance tool<\/li>\n\n\n\n
  6. ArchTouch \u2014 SMB reconnaissance tool<\/li>\n\n\n\n
  7. DoublePulsar \u2014 Backdoor Trojan<\/li>\n<\/ol>\n\n\n\n

    Also Read:<\/strong> Hackers malware in subtitle files<\/a>
    Whereas EternalBlue, EternalChampion, EternalSynergy and EternalRomance are SMB exploits, designed to compromise vulnerable Windows computers.<\/p>

    \"\"<\/a><\/div><\/div>\n\n\n\n

    And, DoublePulsar is then used to spread the worm from one affected computers to the other vulnerable machines across the same network. Stampar found<\/a> that EternalRocks disguises itself as WannaCry to fool security researchers, but instead of dropping ransomware, it gains unauthorized control on the affected computer to launch future cyber attacks.<\/p>\n\n\n\n

    Here\u2019s How EternalRocks Attack Works:<\/h3>\n\n\n\n

    EternalRocks installation takes place in a two-stage process. During the first stage, EternalRocks downloads the Tor web browser on the affected computers, which is then used to connect to its command-and-control (C&C) server located on the Tor network on the Dark Web.<\/p>\n\n\n\n

    \n

    \u201cFirst stage malware UpdateInstaller.exe (got through
    remote exploitation with second stage malware) downloads necessary .NET
    components (for later stages) TaskScheduler and SharpZLib from the
    Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe
    (e.g. sample),\u201d Stampar\u00a0    says<\/a>.<\/p>\n Stampar  <\/cite><\/blockquote>\n\n\n\n

    According to Stampar, the second stage<\/a> comes with a delay of 24 hours in an attempt to avoid sandboxing techniques, making the worm infection undetectable.
    \nAfter 24 hours, EternalRocks responds to the C&C server with an \narchive containing the seven Windows SMB exploits mentioned above.<\/p>\n\n\n\n

    \n

    \u201cComponent svchost.exe is used for
    downloading, unpacking and running Tor from archive.torproject.org along
    with C&C (ubgdgno5eswkhmpy.onion) communication requesting further
    instructions (e.g. installation of new components),\u201d Stampar adds.<\/p>\n<\/blockquote>\n\n\n\n

    All the seven SMB exploits are then downloaded to the infected computer. EternalRocks then scans the internet for open SMB ports to spread itself to other vulnerable systems as well. If you are following The Hacker News coverage on WannaCry Ransomware and the Shadow Brokers leaks, you must be aware of the hacking collective\u2019s new announcement of releasing new zero-days and exploits for web browsers, smartphones, routers, and Windows operating system, including Windows 10, from next month.<\/p>\n\n\n\n

    The exclusive access to the upcoming leaks of zero-days and exploits would be given to those buying subscription for its \u2018Wine of Month Club.\u2019 However, the Shadow Brokers has not yet announced the price for the subscription.<\/p>\n\n\n\n

    Since the hackers and state-sponsored attackers are currently waiting for new zero-days to exploit, there is very little you can do to protect yourself from the upcoming cyber attacks. <\/p>\n

    \"\"<\/a><\/div><\/div>","protected":false},"excerpt":{"rendered":"

    A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked NSA hacking tools, it exploits all the seven.<\/p>\n","protected":false},"author":7,"featured_media":1290,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_gspb_post_css":"","footnotes":""},"categories":[1915],"tags":[1444,236,530,457,981,606,663,678,864,1494],"class_list":["post-1185","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ndocs","tag-cyber-security","tag-data-security","tag-malware","tag-network","tag-network-security","tag-nsa","tag-privacy","tag-ransomware","tag-wannacry-ransomware-attack","tag-web-security"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"_links":{"self":[{"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/posts\/1185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/comments?post=1185"}],"version-history":[{"count":1,"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/posts\/1185\/revisions"}],"predecessor-version":[{"id":78274,"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/posts\/1185\/revisions\/78274"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/media\/1290"}],"wp:attachment":[{"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/media?parent=1185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/categories?post=1185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gtechbooster.com\/api-json\/wp\/v2\/tags?post=1185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}