Wannacry
Wannacry

With the public outcry over WanaCrypt0r waning, a new cybercriminal group has rolled out a new attack profile utilizing seven other tools designed by the NSA and released by WikiLeaks.

So far the new tools are not being used for anything overly nefarious, no malware is being dropped, but some analysts believe if weaponized it could prove to be very dangerous.

The EternalRocks  worm first appeared on May 17 when it wandered into a honeypot operated by Miroslav Stampar, member of the Croatian Government CERT, reported Bleeping Computer. It uses a patchwork of stolen NSA tools, including the now well-known EternalBlue and DoublePulsar, along with EternalChampion, EternalRomance, EternalSynergy, SMBTouch and Architouch.

Because EternalRocks uses the same family of tools it is targeting the same SMB demographic, but it has been described as more sophisticated, if less dangerous, at least so far. Chris Morales, Vectra Networks, head of security analytics, described the new worm as being darker and more refined and if left undetected has the ability to rapidly spread.

“What makes it much more concerning at this stage, compared to WannaCry, is that it hasn't yet been linked to a destructive malware payload, although it does install additional vulnerabilities, making a future attack easier. While it may be pretty much a silent threat right now, the full extent of the damage it could do has yet to be realized, Morales told SC Media.

Bleeping Computer also noted the lack of a payload and believes this means what is being done now is either a test or the creator is testing the malware making it more useful for a future attack.

“This, however, does not mean EternalRocks is harmless. Computers infected with this worm are controllable via C&C server commands and the worm's owner could leverage this hidden communications channel to send new malware to the computers previously infected by EternalRocks,” Bleeping Computer reported.

Despite using some of the same NSA tools, EternalRocks operates in a different fashion from its more famous cousin.

It uses a two-step installation process. It first gains a foothold in a system it waits about 24 hours before contacting in command and control server. A time period most likely designed to avoid various security measures, but that does not mean it cannot be detected.

“The most effective way for security teams to monitor for any infected devices is to leverage network traffic analytics to look for any historical Tor connections leaving the organization. EternalRocks uses a delayed Tor communication with a command and control server.  By delaying the communications the bad actors are attempting to be more stealthy,” said Michael Patterson, Plixer's CEO.

The lack of a kill switch is the other major differentiator, but Morales said calling WannaCry's Achilles heal a kill switch might have been incorrect.

“In fact, it's worth noting that the so-called ‘kill switch' web domain name that ended WannaCry was probably not a kill switch at all, but rather a Sandbox evasion technique. By enabling the domain WannaCry was looking for, it indicated to the ransomware it was running in a sandbox, causing it to shutdown rather than let itself be analyzed,” he said.