EternalRocks: New Malware is Even More Dangerous than WannaCry

Last Few weeks have had a rattling effect on the field of Cyber Security.  Where Security Researcher’s had a hard time for finding solutions to prevent the society from an explicitly dangerous Ransomware WannaCry.

The Ransomware So far has affected around 300,000 computers in around 150 countries all over the globe, managing to fund a six digit amount to black hats.

Although Researchers managed to find a kill switch for the Ransomware recently, still were not able to completely solve the problem for an infected system.

Meanwhile, the creator of ‘SQLmap’ and member of Croatian Govt CERT, Security Researcher Miroslav Stampar exposed a new Malware called as EternalRocks in the first of May 2017.

Well, you might be thinking what’s the big deal about EternalRocks, well, unlike WannaCry which used 2 of NSA’s Hacking tools EternalBlue and DoublePulsar, this Malware uses 7 of the NSA’s hacking tools released by the Shadow Brokers group. The malware spreads itself by exploiting flaws in Windows SMB file sharing protocol.

The 7 tools which are used in this tool are:

1. EternalBlue — SMBv1 exploit tool

2. EternalRomance — SMBv1 exploit tool

3. EternalChampion — SMBv2 exploit tool

4. EternalSynergy — SMBv3 exploit tool

5. SMBTouch — SMB reconnaissance tool

6. ArchTouch — SMB reconnaissance tool

7. DoublePulsar — Backdoor Trojan


The matter fact about this new malware is that it has no Kill Switch.

The malware works in such a way that it ensures that it won’t be detected, to the victim it pretends like it is WannaCry Ransomware but instead of dropping Ransomware its focus on getting unauthorized access to the system.

 It spreads through public (The Shadow Brokers NSA dump) SMB exploits: ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH, and SMBTOUCH,” says Stampar.


The malware works in two stages

In the very first stage, the malware downloads the tor browser and uses it to connect to command and control server located on the Tor network on Dark Web, in detail Stampar explained saying “First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary. NET components (for later stages) TaskScheduler and SharpZLib from the Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample).” in his explanation on GitHub.


In the second stage, another malware after 24 hours gets downloaded and then after an initial run the malware drops the file and extract all the files in it.

“It starts a random scan of opened 445 (SMB) ports on the Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from the first stage to get further instructions from C&C,” added Stampar.


Mr. Stampar on 25th May updated his report on EternalRocks saying that the author dropped the whole campaign of EternalRocks after the News spread over, Stampar also says that the Malware no longer updates to the second stage. The C&C page now holds the following messages which were showed after successful registration.



source: Stampar’s Github

But no one can say what is in the mind of a Hacker.