Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

EternalRocks leaves backdoor trojan for remote access to infected machines

What we know so far The WannaCry ransomware worm outbreak from last Friday week used just one of the leaked NSA exploit tools, ETERNALBLUE, which exploits vulnerabilities in the SMBv1...
Kieran Laffan
2 min read
Published May 20, 2017
Last updated June 12, 2023

What we know so far

The WannaCry ransomware worm outbreak from last Friday week used just one of the leaked NSA exploit tools, ETERNALBLUE, which exploits vulnerabilities in the SMBv1 file sharing protocol.

On Wednesday security researcher Miroslav Stampar, member of the Croatian Government CERT, who created infamous sqlmap (SQL injection pentesting tool), detected a new self-replicating worm which also spreads via several SMB vulnerabilities. This worm, dubbed EternalRocks uses seven leaked NSA hacking tools to infect a computer via SMB ports exposed online.

Unlike WannaCry, EternalRocks has no kill switch to stop the code from executing. It uses some files with the same names as WannaCry to try to fool security researchers into thinking it is WannaCry.

Get a Free Data Risk Assessment

EternalRocks analysis

  • Spreads via SMB ports exposed online
  • SMB reconnaissance tools SMBTOUCH and/or ARCHITOUCH are used to scan for open SMB ports on the public internet
  •  If open ports are found then one of 4 SMB exploit tools, which target different vulnerabilities in the Microsoft SMB file sharing protocol, are used to get inside the network:
    • ETERNALBLUE (SMBv1 exploit tool)
    • ETERNALCHAMPION (SMBv2 exploit tool)
    • ETERNALROMANCE (SMBv1 exploit tool)
    • ETERNALSYNERGY (SMBv3 exploit tool)
  • Once inside EternalRocks downloads the Tor web browser, which supposedly*allows you to browse the web anonymously and access sites hosted on the Dark Web which cannot be accessed from normal web browsers like Chrome, IE, or Firefox.
  • Downloads .net components which will be used later
  • Tor connects to a C&C server on the Dark Web
  • After a delay, currently set to 24 hours, the C&C server responds and an archive containing the 7 SMB exploits are downloaded. This delay is likely to avoid sandboxing techniques
  • Next the worm scans the internet for open SMB ports – to spread the infection to other organizations.

*It is questionable just how anonymous Tor really is considering that almost everyone involved in developing Tor was funded by the US Government.

The Good News

EternalRocks does not appear to have been weaponized (yet). No malicious payload – like ransomware – is unleashed after infecting a computer.

The Bad News

Even if SMB patches are retroactively applied machines infected by the EternalRocks worm are left remotely accessible via the DOUBLEPULSAR backdoor trojan. The DOUBLEPULSAR (backdoor trojan) installation left behind by EternalRocks is wide open. Whether on purpose or not the result is that other hackers could use DOUBLEPULSAR to access machines infected by EternalRocks.

What you should do

Block external access to SMB ports on the public internet\

  • Patch all SMB vulnerabilities
  • Block access to C&C servers (ubgdgno5eswkhmpy.onion) and block access to Torproject.org while you are at it
  • Monitor for any newly added scheduled tasks
  • A DOUBLEPULSAR detection script is available on Github
  • Make sure DatAlert Analytics is up to date monitoring your organization for insider threats

For detailed information on EternalRocks check out the repository setup by Stampar a few days ago on GitHub.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

zero-day-vulnerability-explained
Zero-Day Vulnerability Explained
Find out how zero-day vulnerabilities become zero-day exploits and zero-day attacks, and how to defend your network from zero-day attacks and exploits.
windows-bluekeep-vulnerability:-deja-vu-again-with-rdp-security-weaknesses
Windows BlueKeep Vulnerability: Deja Vu Again With RDP Security Weaknesses
It’s a familiar data security story: under-patched Windows software, hidden security vulnerabilities, and hackers who know how to exploit them. But if the patch involves Windows Remote Desk Protocol (RDP),...
threat-update-29-–-exchange-vulnerability-detection-tips-&-tools
Threat Update 29 – Exchange Vulnerability Detection Tips & Tools
Many organizations are still dealing with the mass exploitation of on-prem Exchange servers from four Zero-Day vulnerabilities. Teams are struggling to identify and patch all of their affected servers, and...
hive-ransomware-analysis
Hive Ransomware Analysis
Learn how Hive ransomware exploits public servers, spreads through your network, encrypts sensitive files, and exports victims for cryptocurrency.