While you won’t be forgetting the WannaCry ransomware attack, it is likely you will be hearing a lot more about the alleged NSA-linked EternalBlue exploit and DoublePulsar backdoor, as it seems a wide range of bad guys have them in their toy boxes. At least one person is leveraging seven leaked NSA hacking tools for a new EternalRocks network worm.

EternalBlue and DoublePulsar

Malwarebytes believes WannaCry did not spread by a malicious spam email campaign but by a scanning operation that searched for vulnerable public-facing SMB ports, then used EternalBlue to get on the network and used DoublePulsar to install the ransomware.

EternalBlue was part of the Shadow Brokers’ April 14 dump of NSA hacking tools. Almost immediately, sophisticated attackers started repackaging the EternalBlue exploit. Security firm Secdo reported that three weeks before the WannaCry attack, at least three different actors were “leveraging the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the U.S.”

The attack leaves no trace. By spawning threads inside legitimate apps to impersonate those apps, the attack can evade advanced next-gen antivirus solutions. The attacks, according to Secdo, “might pose a much bigger risk than WannaCry” because “many endpoints may still be compromised despite having installed the latest security patch.”

The security firm suggested one threat actor was stealing credentials using a Russian-based IP, and another threat actor seemed to be using EternalBlue in opportunistic attacks to create a Chinese botnet.

Secdo added:

Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

Security firm Proofpoint spotted an attack using EternalBlue and DoublePulsar to install a cryptocurrency mining botnet. This attack, which also began before WannaCry, may be larger in scale and may even have limited the spread of WannaCry “because this attack shuts down SMB networking to prevent further infections with other malware via that same vulnerability.” Every time Proofpoint exposed a lab box vulnerable to EternalBlue attacks, it was added to the cryptocurrency mining botnet within 20 minutes.

EternalRocks uses 7 NSA hacking tools

Perhaps the most worrying news about attacks came from researcher Miroslav Stampar. It is the most worrying because the EternalRocks network worm doesn’t just use EternalBlue and DoublePulsar like WannaCry did. Oh no, it uses seven different NSA hacking tools: EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Doublepulsar, Architouch and SMBtouch.

Stampar learned of EternalRocks after it infected his SMB honeypot. Its original name was MicroBotMassiveNet, but EternalRocks is listed as a product name under Taskhost Properties. It disguises itself as WannaCry as if hoping to fool security researchers, yet it doesn’t drop ransomware. Instead, it seems to be gaining a foothold to launch future attacks.

During the first stage, EternalRocks installs TOR as a C&C communications channel. The second stage doesn’t begin immediately; instead, the C&C server waits 24 hours before responding with shadowbrokers.zip. Stampar said the delayed downloader for the zipped file, which contains NSA hacking tools leaked by the Shadow Brokers, seems to be “a full-scale cyber weapon.”

After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.

There is no kill switch like there was in WannaCry. Stampar told Bleeping Computer, “The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch.”

The second stage of the infection currently has a detection rate of 45/61 on VirusTotal, but Stampar warned that EternalRocks was “going to be huge.”

He later added: