[jpshare]A New Network Worm called “MicroBotMassiveNet” (Nick Name:EternalRocks) Discovered Recently  which is also  Performing in SMB Exploit as Wannacry .“MicroBotMassiveNet” self Replicate with the targeting network and Exploit the SMB Vulnerability.

NSA Hacking tools are the major medium for “MicroBotMassiveNet” (Nick Name:EternalRocks) to Spread and Self Replicate Across the Network by using Remote Exploitation by the Help of 7 NSA Hacking tools which i have mentioned below.

(ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH)

Wannacry used only 2 NSA Hacking Tools which is ETERNALBLUE for initial Compromising the target system and DOUBLEPULSAR for Replicate to across the network where Vulnerable Machine existed.

 EternalRocks Properties

Initially its Reached to the Honeypot Network of Croatian Government’s CERT Security Expert Miroslav Stampar

Stages of Exploitation

According to Miroslav Stampar , in First Stage of “MicroBotMassiveNet” Malware downloads necessary .NET components from Internet, while dropping svchost.exe and taskhost.exe

svchost.exe is used to Download the component and unpacking and running Tor from https://archive.torproject.org/. once its Finished the First Stage then it will move to the second stage for Unpacking the payloads and further Exploitation.

In second stage taskhost.exe is being Downloaded from the onion website  http://ubgdgno5eswkhmpy.onion/updates/download?id=PC  and run the taskhost.exe .

it will Download after a Predefined time of 24 Hours so untill that Researcher wait for getting response from C&C Server.

After Running this Process  its contain a Zip  files  shadowbrokers.zip and Unpacking the unpack directories which is payloads/, configs,bins/ .

Extracted Shadowbrokers File

In Configuration Folder we can find the 7 NSA Hacking Tools of (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH)

7 NSA hacking Tools list From Extracted Shadowbrokers File

Another Folder contains DLL of  Shellcode Payload, in the Files which has been Downloaded from shadowbrokers.zip

Once file has successfully unpacked then it will scan the  random port of 445 on the internet.

This payload push it to First stage Malware and it expects running Tor process from first stage for instructions from C&C. Researcher explained . 

Since it has performing with Many NSA hacking tools its may developed for Hidden Communications with the Victims  which controllable via C&C server commands.

EternalRocks could represent a serious threat  to PCs with defenseless SMB ports presented to the Internet, if its creator could ever choose to weaponize the worm with ransomware, a Bank trojan, RATs, or whatever else.

Further  More Technical Analysis and IOC’s has been explained by Miroslav Stampar  in Github

Also Read:

Mass Scan Revealed More Than 30000 Windows Computers Infected by NSA backdoor DoublePulsar

A complete Lookback of Historical Wannacry Ransomware Cyber Attack

Malware Tricks to Avoid Detection by using Big Junk Data and Activates a Backdoor