EternalRocks leaves backdoor trojan for remote access to infected machines

What we know so far The WannaCry ransomware worm outbreak from last Friday week used just one of the leaked NSA exploit tools, ETERNALBLUE, which exploits vulnerabilities in the SMBv1...
Kieran Laffan
2 min read
Last updated June 12, 2023

What we know so far

The WannaCry ransomware worm outbreak from last Friday week used just one of the leaked NSA exploit tools, ETERNALBLUE, which exploits vulnerabilities in the SMBv1 file sharing protocol.

On Wednesday security researcher Miroslav Stampar, member of the Croatian Government CERT, who created infamous sqlmap (SQL injection pentesting tool), detected a new self-replicating worm which also spreads via several SMB vulnerabilities. This worm, dubbed EternalRocks uses seven leaked NSA hacking tools to infect a computer via SMB ports exposed online.

Unlike WannaCry, EternalRocks has no kill switch to stop the code from executing. It uses some files with the same names as WannaCry to try to fool security researchers into thinking it is WannaCry.

Get a Free Data Risk Assessment

EternalRocks analysis

  • Spreads via SMB ports exposed online
  • SMB reconnaissance tools SMBTOUCH and/or ARCHITOUCH are used to scan for open SMB ports on the public internet
  •  If open ports are found then one of 4 SMB exploit tools, which target different vulnerabilities in the Microsoft SMB file sharing protocol, are used to get inside the network:
    • ETERNALBLUE (SMBv1 exploit tool)
    • ETERNALCHAMPION (SMBv2 exploit tool)
    • ETERNALROMANCE (SMBv1 exploit tool)
    • ETERNALSYNERGY (SMBv3 exploit tool)
  • Once inside EternalRocks downloads the Tor web browser, which supposedly*allows you to browse the web anonymously and access sites hosted on the Dark Web which cannot be accessed from normal web browsers like Chrome, IE, or Firefox.
  • Downloads .net components which will be used later
  • Tor connects to a C&C server on the Dark Web
  • After a delay, currently set to 24 hours, the C&C server responds and an archive containing the 7 SMB exploits are downloaded. This delay is likely to avoid sandboxing techniques
  • Next the worm scans the internet for open SMB ports – to spread the infection to other organizations.

*It is questionable just how anonymous Tor really is considering that almost everyone involved in developing Tor was funded by the US Government.

The Good News

EternalRocks does not appear to have been weaponized (yet). No malicious payload – like ransomware – is unleashed after infecting a computer.

The Bad News

Even if SMB patches are retroactively applied machines infected by the EternalRocks worm are left remotely accessible via the DOUBLEPULSAR backdoor trojan. The DOUBLEPULSAR (backdoor trojan) installation left behind by EternalRocks is wide open. Whether on purpose or not the result is that other hackers could use DOUBLEPULSAR to access machines infected by EternalRocks.

What you should do

Block external access to SMB ports on the public internet\

  • Patch all SMB vulnerabilities
  • Block access to C&C servers (ubgdgno5eswkhmpy.onion) and block access to Torproject.org while you are at it
  • Monitor for any newly added scheduled tasks
  • A DOUBLEPULSAR detection script is available on Github
  • Make sure DatAlert Analytics is up to date monitoring your organization for insider threats

For detailed information on EternalRocks check out the repository setup by Stampar a few days ago on GitHub.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

🚨-massive-ransomware-outbreak:-what-you-need-to-know
🚨 Massive Ransomware Outbreak: What You Need To Know
Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the...
the-power-and-peril-of-rmm-tools 
The Power and Peril of RMM Tools 
Discover real-world examples of remote monitoring and management (RMM) tool exploits and how to protect your organization from these attacks. 
how-to-use-powershell-for-wannacry-/-wannacrypt-cleanup-and-prevention
How to use PowerShell for WannaCry / WannaCrypt cleanup and prevention
Use PowerShell to help test and resolve issues from WannaCry / WannaCrypt variants and other ransomware attacks.
varonis-gets-lightning-fast-with-solr
Varonis Gets Lightning Fast with Solr
Any security practitioner that has had to perform forensic analysis on a cybersecurity incident likely describes the process as “searching for a needle in a stack of needles.” Even Tony...