Newly Flora Malware Uses Seven Nsa Hacking Tools, Where Wannacry Uses 2

Influenza A virus subtype H5N1 safety researcher has identified a novel strain of malware that also spreads itself past times exploiting flaws inwards Windows SMB file sharing protocol, exactly dissimilar the WannaCry Ransomware that uses exclusively 2 leaked NSA hacking tools, it exploits all the seven.

Last week, nosotros warned you lot virtually multiple hacking groups exploiting leaked NSA hacking tools, exactly almost all of them were making purpose of exclusively 2 tools: EternalBlue as well as DoublePulsar.

Now, Miroslav Stampar, a safety researcher who created famous 'sqlmap' tool as well as forthwith a fellow member of the Croation Government CERT, has discovered a novel network worm, dubbed EternalRocks, which is to a greater extent than unsafe than WannaCry as well as has no kill-switch inwards it.

Unlike WannaCry, EternalRocks seems to survive designed to business office secretly inwards companionship to ensure that it remains undetectable on the affected system.

However, Stampar learned of EternalRocks after it infected his SMB honeypot.

The NSA exploits used past times EternalRocks, which Stampar called "DoomsDayWorm" on Twitter, includes:

1. EternalBlue — SMBv1 exploit tool
2. EternalRomance — SMBv1 exploit tool
3. EternalChampion — SMBv2 exploit tool
4. EternalSynergy — SMBv3 exploit tool
5. SMBTouch — SMB reconnaissance tool
6. ArchTouch — SMB reconnaissance tool
7. DoublePulsar — Backdoor Trojan

As nosotros cause got mentioned inwards our previous articles, SMBTouch as well as ArchTouch are SMB reconnaissance tools, designed to scan for opened upwardly SMB ports on the populace internet.

Also Read: WannaCry Ransomware Decryption Tool Released

Whereas EternalBlue, EternalChampion, EternalSynergy as well as EternalRomance are SMB exploits, designed to compromise vulnerable Windows computers.

And, DoublePulsar is as well as then used to spread the worm from i affected computers to the other vulnerable machines across the same network.

Stampar found that EternalRocks disguises itself every bit WannaCry to fool safety researchers, exactly instead of dropping ransomware, it gains unauthorized command on the affected figurer to launch hereafter cyber attacks.

Here's How EternalRocks Attack Works:

EternalRocks installation takes house inwards a two-stage process.

During the get-go stage, EternalRocks downloads the Tor spider web browser on the affected computers, which is as well as then used to connect to its command-and-control (C&C) server located on the Tor network on the Dark Web.

"First phase malware UpdateInstaller.exe (got through remote exploitation amongst 2nd phase malware) downloads necessary .NET components (for after stages) TaskScheduler as well as SharpZLib from the Internet, spell dropping svchost.exe (e.g. sample) as well as taskhost.exe (e.g. sample)," Stampar says.

According to Stampar, the second stage comes amongst a delay of 24 hours inwards an endeavor to avoid sandboxing techniques, making the worm infection undetectable.

After 24 hours, EternalRocks responds to the C&C server amongst an archive containing the 7 Windows SMB exploits mentioned above.

"Component svchost.exe is used for downloading, unpacking as well as running Tor from archive.torproject.org along amongst C&C (ubgdgno5eswkhmpy.onion) communication requesting farther instructions (e.g. installation of novel components)," Stampar adds.

All the 7 SMB exploits are as well as then downloaded to the infected computer. EternalRocks as well as then scans the meshwork for opened upwardly SMB ports to spread itself to other vulnerable systems every bit well.

अभी तो बहुत 'भसड़' होने वाली है!

If you lot are next The Hacker News coverage on WannaCry Ransomware as well as the Shadow Brokers leaks, you lot must survive aware of the hacking collective's novel statement of releasing novel zero-days as well as exploits for spider web browsers, smartphones, routers, as well as Windows operating system, including Windows 10, from adjacent month.

The exclusive access to the upcoming leaks of zero-days as well as exploits would survive given to those buying subscription for its 'Wine of Month Club.' However, the Shadow Brokers has non even thence announced the cost for the subscription.

Since the hackers as well as state-sponsored attackers are currently waiting for novel zero-days to exploit, at that spot is real footling you lot tin produce to protect yourself from the upcoming cyber attacks.

If you lot desire to know every infinitesimal update virtually the latest cyber threats earlier they hitting your system, brand certain you lot are next The Hacker News on Twitter and Facebook, or subscribe to our newsletter.

Share This :