Right after the WannaCry campaign was launched, the worm called EternalRocks was detected in the cyber space. It employs seven NSA hacking tools instead of two employed by WannaCry. Justifying its name, the malware targets server message block (SMB) vulnerabilities and infects the computers of the same network. What are the chances for the worm to become one of the key cyber menaces in 2017?
The first signs of this trojan were already detected at the beginning of May, but its activity has reached its peak approximately on May 22. The virtual community was quick to name it a “doomsday” threat. By downloading seven NSA hacking tools packed into shadowbrokers.zip folder: EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch, it targets weak SMB protocols. Once settled on the device, the malware waits for 24 hours to launch its second stage of the attack. Then he secretly downloads Tor browser and transmits signals to a remote server. Consequently, the server will start sending the main payload of the malware and then replicate it itself to other computers located on the same network. Though this malware is more time-consuming, luckily IT specialist Miroslav Stampar detected EternalRocks on time. Interestingly, that the malware disguises itself under the name of WannaCry. Furthermore, the malware does not have a “kill-switch”, unlike the mentioned virus.
Ironically, what ruined the entertainment for the developer of the malware was none other than the excessive amount of attention. After the previously mentioned IT professional detected the malware on the dark web, this discovery immediately attracted media and other virus researchers. The developer of the worm under the name of “tmc” has left a message on his secret onion website which explains why he decided to develop the malware. He elaborates that it was merely a game and for him to fiddle with the exploit kits and launch the attack. He was also curious in finding out how they functioned. Though the attention forced the developer to reconsider its attack, it is too early to lay down arms. Now the worm does not execute its two-stage attack, but downloads a shady executable and infects a smaller number of the targeted devices. It does not replicate itself to other devices belonging to the same network. Though the malware has subsided a little, the virtual community should not let their guard down and prepare for the possible second wave.