Security Advisory: EternalRocks and other Malware Variants Utilising The Shadow Brokers Leaked NSA Exploits

Security Advisory: EternalRocks and other Malware Variants Utilising The Shadow Brokers Leaked NSA Exploits

Published by Elad Sharf, Nick Griffin (May 24, 2017)

Performanta is aware of additional malware variants, like ‘EternalRocks’, exploiting the same vulnerabilities as WannaCry and additional attack vectors leaked by The Shadow Brokers group.

If you’ve followed our previous advisory and protected yourself against WannaCry, you should be protected against the exploitation mechanism of new variants.

  1. Ensure the MS17-010 security update has been applied to all Windows systems
  2. Ensure SMBv1 is turned off on all machines
  3. Ensure that no machines with file and printer sharing are publicly accessible
  4. Install an anti-virus solution on all machines

Please ensure to do impact analysis before applying any of the mitigation advice listed above.

EternalRocks is a malware variant that utilises four exploits (“ETERNALBLUE”, “ETERNALCHAMPION”, “ETERNALROMANCE”, and “ETERNALSYNERGY”) and three backdoor utilities (“DOUBLEPULSAR”, “ARCHITOUCH”, and “SMBTOUCH”) that were leaked by a group calling themselves “The Shadow Brokers” earlier this year.

Performanta has been following this leak and can confirm that exploits associated with this leak had been utilised by different malware families prior and following the WannaCry outbreak. These vulnerabilities were all addressed by Microsoft MS17-010 – mitigation advice can be found above.

Looking into the ‘EternalRocks’ binary we found that the malware authors copied exactly the same libraries and folder structure for the exploits per the original Shadow Brokers leak. In the following image you can see the folder that ‘EternalRocks’ uses to download different components after compromising a machine, under \Program Files\Microsoft Updates. The exploit files are located under the /bins folder.


(Image credit: https://github.com/stamparm/EternalRocks)

These libraries seem to have been copied ‘as is’ from the leaked code; the below image references the folder structure and leaked code by The Shadow Brokers:

This confirms that malware authors are simply copying and pasting the leaked exploit code into their creations. Performanta believes that additional malware families will utilise the same exploit code and recommends following the above advice to mitigate the attack vector.

The Shadow Brokers group advised that it will release additional exploit code in the next few months – Performanta will keep an eye on any developments and keep you posted.

If you think you have been affected or have any concerns regarding EternalRocks or WannaCry – please contact your Account Manager