In the world of malware, worms continue to wreak havoc due to their ability to replicate and navigate through both private and public networks.
This is not just theoretical – as we recently saw with WannaCry, the cost to recover from this particular ransomware attack has eclipsed $4.5 billion (according to research firm Cyence). It triples the total cost of recovery from 2016, including all ransomware (numbers estimated by Cybersecurity Ventures).
And as we see with EternalRocks, this is the latest in a string of exploits with a single root cause. So, what happens when the hash or hack method changes?
EternalRocks emerged in the wild during the first week of May, when researchers found the first known sample with a date of May 3.
Similar to WannaCry and Adylkuzz, EternalRocks uses the EternelBlue attack kit released by Shadow Brokers in their April dump of NSA code.
What is most worrisome is how easy ShadowBrokers exploits are to use. Attackers can simply identify a vulnerable web server, exploit it using EternalBlue, install the DoublePulsar application, and finally edit a single configuration file to execute any payload.
This puts it on par with Ransomware-as-a-Service (similar to SATAN RaaS), which would make it a tool of choice for more advanced attackers.
Since EternalRocks is a worm, it can propagate (replicate laterally) on its own. The origin is often difficult to discover, which made stopping WannaCry and Adylkuzz particularly difficult.
The unknown authors created versions for 32- and 64-bit versions of Windows XP, Windows 7, and Windows Server 2008 R2. Configuration allowed for easily manipulating future (downstream) target IP addresses.
There are two stages involved in the kit. The first performs a variety of actions on the system, including error checking for redundant installation, installing binaries, installing the Tor browser, creating firewall rules, and establishing scheduled Windows tasks to ensure persistence and effectiveness.
Interestingly, the first stage of the worm also disables the file and print sharing service and then blocks all traffic into the SMB 445 port. This could effectively prevent future exploitation attempts.
The last step fetches the second stage payload from the Tor command-and-control (C2) server and then executes the binary.
Then, the second stage has two distinct binaries. One of them is a self-propagating worm (as mentioned earlier) which drops a number of ShadowBroker payloads, including exploits and configuration files. In addition, the worm attempts to propagate to additional vulnerable hosts.
According to independent research on GitHub, the author replaced the original, self-propagating payload with a new application on May 25. This binary is benign and contains no functional code.
Currently, this second phase executable is almost like a smokescreen – it is a bizarre empty .NET binary which contains no significant code. It is likely placed by the malware author only to stop the propagation of the worm. People should be very wary, as this can quickly flip to a malicious weaponized executable in the future.
EternalRocks presents a useful proof of concept (POC) for future Shadow Brokers exploit-based attacks. Like other worms employing multiple propagation mechanisms, it can persist in environments with unpatched hosts long after the vulnerabilities are officially fixed. It is likely that these kinds of attacks will continue to become more sophisticated with time, leveraging multiple attack vectors to deliver a number of potentially damaging payloads.
The C2 domain for EternalRocks was still registered (as of late May), and delivered the empty payload described above. At any time, the author could swap the benign payload for something more malicious. It is also possible that the author will attempt to sell the framework to malicious actors, or that it will be reverse-engineered by someone with more malicious intentions. Future versions could substitute this for other dormant domains.
Cylance convicts all binaries associated with this worm, quickly quarantining things as they are dropped to disk.
This is key: even if the worm is allowed to attempt its madness on unprotected devices, Cylance will prevent it from propagating.
In earlier demonstrations, Cylance has shown that once installed, CylancePROTECT® can instantly clean up infected machines, removing all malicious files and terminating services.