Cylance vs. EternalRocks Malware

In the world of malware, worms continue to wreak havoc due to their ability to replicate and navigate through both private and public networks.

This is not just theoretical – as we recently saw with WannaCry, the cost to recover from this particular ransomware attack has eclipsed $4.5 billion (according to research firm Cyence). It triples the total cost of recovery from 2016, including all ransomware (numbers estimated by Cybersecurity Ventures).

And as we see with EternalRocks, this is the latest in a string of exploits with a single root cause. So, what happens when the hash or hack method changes?

Background and Timeline

EternalRocks emerged in the wild during the first week of May, when researchers found the first known sample with a date of May 3.

Similar to WannaCry and Adylkuzz, EternalRocks uses the EternelBlue attack kit released by Shadow Brokers in their April dump of NSA code.

What is most worrisome is how easy ShadowBrokers exploits are to use. Attackers can simply identify a vulnerable web server, exploit it using EternalBlue, install the DoublePulsar application, and finally edit a single configuration file to execute any payload.

This puts it on par with Ransomware-as-a-Service (similar to SATAN RaaS), which would make it a tool of choice for more advanced attackers. 

How Is EternalRocks Delivered? What Does It Do?

Since EternalRocks is a worm, it can propagate (replicate laterally) on its own. The origin is often difficult to discover, which made stopping WannaCry and Adylkuzz particularly difficult.

The unknown authors created versions for 32- and 64-bit versions of Windows XP, Windows 7, and Windows Server 2008 R2. Configuration allowed for easily manipulating future (downstream) target IP addresses.

Detail About the Attack Kit

There are two stages involved in the kit. The first performs a variety (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Team. Read the original post at: