Recently emerged EternalRocks network worm might become even a bigger cyber threat than WannaCry ransomware. The researcher from Croatian Government CERT discovered a worm that uses seven hacking tools stolen from National Security Agency (NSA) on April 2017. Meanwhile, WannaCry uses only two exploits. Nevertheless, Microsoft released patches even for no longer supported Windows versions; plenty of computer users feel safe and does not find the need to update and patch their OS. Therefore, there’s no surprise that hackers managed to use the same flaws in Windows SMD file sharing protocol and use them to infiltrate devices. Fortunately, this network worm does not distribute any malware yet. However, analysis has shown that it may receive a command to launch a cyber attack from its Command and Control server any minute. Thus, the situation might change soon.
Miroslav Stampar, the researcher from Croatian Government CERT, has just discovered EternalRocks worm that is originally known as MicroBotMassiveNet. The worm uses the same Windows vulnerabilities in SMF file sharing protocol. Indeed, Microsoft released patches to fix these flaws, but WannaCry attack proved that there are plenty of people who still use an outdated and unpatched OS. While ransomware used only two exploits – EternalBlue and DoublePulsar, the recent cyber threat managed to employ five more. It is known that worm uses EternalBlue, EternalRomance, EternalChampion, EternalSynergy, SMBTouch, ArchTouch, and DoublePulsar hacking tools.
On the affected system, it installs TOR as communication channel to Command and Control (C&C) server. However, it does not connect to the server immediately. It stays silent in order to remain undetectable and waits for 24 hours before connecting to C&C. Once the connection is established, the worm starts completing the received commands. What is more, it does not have kill switch domain and might soon be capable of distributing ransomware or other malware. Therefore, it is expected that EternalRocks might be an even more dangerous cyber threat than WannaCry.
It may seem that hackers are just testing this network worm and it cannot cause any damage at least now. However, it’s a naive thought. Nevertheless, it does not distribute malware; it can still harm the affected device. For instance, on of the employed exploits – DoublePulsar – is responsible for opening backdoors. Thus, any other malware can easily infiltrate computers that are infected with EternalRocks. Besides, the connection with C&C server gives control over the device to people that are standing behind this cyber threat. No one knows what intentions might have those evil-minded people.