In the wake of the global attack by the WannaCry ransomware, security researchers are identifying a number of other malware that use the same exploits that were leaked by the ShadowBrokers. The vulnerability used by WannaCry is a Windows Server Message Block remote execution vulnerability. This means that a specially crafted message can be sent to Windows operating systems, that can allow the execution of arbitrary code. Microsoft issued a patch for this vulnerability on 14 March.
The WannaCry ransomware used an exploit of this vulnerability, known as EternalBlue to worm its way into systems. Once the infection had spread, WannaCry used a backdoor, known as DoublePulsar. This would allow remote attackers to execute code on the compromised machines. However, the WannaCry ransomware is not the only malware to use both the exploit, EternalBlue or the backdoor, DoublePulsar. A cryptocurrency miner known as Adylkuzz is minting virtual currencies on infected machines. Another malware spreading through a similar attack vector is known as UIWIX.
A newly discovered malware, known as EternalRocks exploits the same vulnerability to spread, and may actually be more dangerous than WannaCry. The original cache of leaked NSA tools includes a number of exploits. Some of these are EmeraldThread, ErraticGopher, EnglishmansDentist, EskimoRoll, EwokFrenzy and ZippyBeer. Along with EternalBlue, EternalChampion, EternalRomance and EternalSynergy are all Server Message Block (SMB) exploits. EternalRocks uses all four of these. EternalRocks also uses the DoublePulsar backdoor, as well as two tools used to scan for SMB vulnerabilities, ArchiTouch and SMBTouch.
The EternalRocks malware is relatively new, and has just been discovered in May. One of the unique features of the malware is that it waits for a period of twenty four hours, before using the backdoor to download additional malware from the command and control server. Cisco's Talos intelligence is actively tracking a number of malware using the leaked NSA tools. Unlike the WannaCry ransomware, whose spread was halted because a security blogger registered a domain, the EternalRocks malware does not have a killswitch.
Somebody actually used complete Shadowbrokers dump (SMB part) and made a worm out of it. Uses WannaCry names (taskhost/svchost) to distract
— Miroslav Stampar (@stamparm) May 18, 2017
The malware initially appeared to be a copy of the WannaCry ransomware, or a variant. It was using the same process names used by WannaCry to distract investigators, and mask its own activities. The malware is known by a number of names, including DoomsDayWorm and MicroBotMassiveNet. The malware appears to be a worm that is creating a botnet of some sort. At this point of time, EternalRocks does not seem to have a malicious payload, but that just means that it is in a preparatory stage of the attack. Malicious actors can execute code on infected machines remotely.
After the ShadowBrokers allegedly obtained the tools from a secret NSA server, the hacking collective put up the tools for auction. There were no serious buyers, the auction was RickRolled with a series of bitcoin transactions, and the ShadowBrokers publicly released the tools. Microsoft claimed that it had already fixed the vulnerabilities exposed by the hacking group. Some of the affected machines included older operating systems that Microsoft no longer publicly supported. Although it was initially reported that Windows XP systems were the most affected, the malware could not spread through the systems, and the malware was actually so successful because of unpatched Windows 7 systems.
Older systems are still vulnerable if unpatched. There are a number of leaked tools that can still be used by malicious actors. Security experts have warned that more attacks similar to the WannaCry attack may follow.