[jpshare]A New Network Worm called “MicroBotMassiveNet” (Nick Name:EternalRocks) Discovered Recently which is also Performing in SMB Exploit as Wannacry .“MicroBotMassiveNet” self Replicate with the targeting network and Exploit the SMB Vulnerability.
NSA Hacking tools are the major medium for “MicroBotMassiveNet” (Nick Name:EternalRocks) to Spread and Self Replicate Across the Network by using Remote Exploitation by the Help of 7 NSA Hacking tools which i have mentioned below.
(ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH)Wannacry used only 2 NSA Hacking Tools which is ETERNALBLUE for initial Compromising the target system and DOUBLEPULSAR for Replicate to across the network where Vulnerable Machine existed.
EternalRocks Properties
Initially its Reached to the Honeypot Network of Croatian Government’s CERT Security Expert Miroslav Stampar
Stages of Exploitation
According to Miroslav Stampar , in First Stage of “MicroBotMassiveNet” Malware downloads necessary .NET components from Internet, while dropping svchost.exe and taskhost.exe
svchost.exe is used to Download the component and unpacking and running Tor from https://archive.torproject.org/. once its Finished the First Stage then it will move to the second stage for Unpacking the payloads and further Exploitation.
In second stage taskhost.exe is being Downloaded from the onion website http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and run the taskhost.exe .
it will Download after a Predefined time of 24 Hours so untill that Researcher wait for getting response from C&C Server.
After Running this Process its contain a Zip files shadowbrokers.zip and Unpacking the unpack directories which is payloads/
, configs,bins/ .
Extracted Shadowbrokers File
In Configuration Folder we can find the 7 NSA Hacking Tools of (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH)
7 NSA hacking Tools list From Extracted Shadowbrokers File
Another Folder contains DLL of Shellcode Payload, in the Files which has been Downloaded from shadowbrokers.zip
Once file has successfully unpacked then it will scan the random port of 445 on the internet.
This payload push it to First stage Malware and it expects running Tor process from first stage for instructions from C&C. Researcher explained .Â
Since it has performing with Many NSA hacking tools its may developed for Hidden Communications with the Victims which controllable via C&C server commands.
EternalRocks could represent a serious threat to PCs with defenseless SMB ports presented to the Internet, if its creator could ever choose to weaponize the worm with ransomware, a Bank trojan, RATs, or whatever else.
Further More Technical Analysis and IOC’s has been explained by Miroslav Stampar in Github
Also Read:
Mass Scan Revealed More Than 30000 Windows Computers Infected by NSA backdoor DoublePulsar
A complete Lookback of Historical Wannacry Ransomware Cyber Attack
Malware Tricks to Avoid Detection by using Big Junk Data and Activates a Backdoor