NSA
May 25, 2017 by

‘EternalRocks’ Exploit uses Seven NSA Cyberweapons

A security researcher has discovered a repackaged exploit of a total of 7 NSA cyberweapons in a cluster called ‘EternalRockets’.

This month’s unprecedented cyberattack by the WannnaCry ransomware worm has impacted over 300,000 machines around the world, using the NSA’s EternalBlue and DoublePulsar exploits. Dwarfing it in its scale, ‘EternalRocks’ has an arsenal of a total of seven NSA cyberweapons. The worrying part? It is still unclear what the ultimate goal of the exploit could be.

First discovered by Miroslave Stampar, IT security advisor and a cybersecurity expert for the Croatian Government’s CERT, the package was found residing in an SMB honeypot. Upon analysis, Stampard discovered that it used four NSA-developed SMB exploits, specifically: EternalBlue, EternalChampion, EternalRomance and EternalSynergy, to gain access. The malware also used two NSA tools for reconnaissance with SMBTouch and ArchiTouch. Ultiamtely, DoublePulsar was used to propagate the spread of the infection.

Starting with EternalBlue, the malware exploit package runs a multistage process that includes contacting a command and control server (C&C) using Tor to install additional components.

Stampard wrote in a GitHub post:

After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on [the] internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from first stage to get further instructions from C&C.

After downloading Tor’s private browser, the malware sends a signal to its hidden servers. Unlike WannaCry, which alerts victims of the infection for a ransom demand, EternalRocks waits discreetly for a day before getting that ping back from the server to then download and self-replicate itself.

Due to its stealthy capabilities, the spread and size of EternalRocks’ compromised machines is unclear. As is the possible weaponized end-product of the malware.

NSA Image credit: Wikimedia.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

WikiLeaks Reveals CIA Windows Spyware ‘Athena’

WikiLeaks has published documents from the CIA’s “Athena” project, a spyware malware that...

Read more arrow_forward

CIA Blasts WikiLeaks for Publishing Breached Secret Documents

The Central Intelligence Agency (CIA) has lambasted WikiLeaks, accusing the whistleblower...

Read more arrow_forward

WikiLeaks: CIA Malware Turned iPhones, smart TVs into Hacking Devices

WikiLeaks has leaked a large trove of CIA documents and hacking tools that were supposedly used by...

Read more arrow_forward