New SMB Network Worm “MicroBotMassiveNet” Using 7 NSA Hacking Tools , Wannacry using only Two

21 May

A New Network Worm called “MicroBotMassiveNet” (Nick Name:EternalRocks) Discovered Recently  which is also  Performing in SMB Exploit as Wannacry .“MicroBotMassiveNet” self Replicate with the targeting network and Exploit the SMB Vulnerability.

NSA Hacking tools are the major medium for “MicroBotMassiveNet” (Nick Name:EternalRocks) to Spread and Self Replicate Across the Network by using Remote Exploitation by the Help of 7 NSA Hacking tools.

Wannacry used only 2 NSA Hacking Tools which is ETERNALBLUE for initial Compromising the target system and DOUBLEPULSAR for Replicate to across the network where Vulnerable Machine existed.

EternalRocks Properties

Initially its Reached to the Honeypot Network of Croatian Government’s CERT Security Expert Miroslav Stampar

Stages of Exploitation

According to Miroslav Stampar , in First Stage of “MicroBotMassiveNet” Malware downloads necessary .NET components from Internet, while dropping svchost.exe and taskhost.exe

svchost.exe is used to Download the component and unpacking and running Tor from https://archive.torproject.org/. once its Finished the First Stage then it will move to the second stage for Unpacking the payloads and further Exploitation.

In second stage taskhost.exe is being Downloaded from the onion website  http://ubgdgno5eswkhmpy.onion/updates/download?id=PC  and run the taskhost.exe .

it will Download after a Predefined time of 24 Hours so untill that Researcher wait for getting response from C&C Server.

After Running this Process  its contain a Zip  files  shadowbrokers.zip and Unpacking the unpack directories which is payloads/, configs,bins/ .

Extracted Shadowbrokers File

In Configuration Folder we can find the 7 NSA Hacking Tools of (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH)

7 NSA hacking Tools list From Extracted Shadowbrokers File

Another Folder contains DLL of  Shellcode Payload, in the Files which has been Downloaded from shadowbrokers.zip

Once file has successfully unpacked then it will scan the  random port of 445 on the internet.

This payload push it to First stage Malware and it expects running Tor process from first stage for instructions from C&C. Researcher explained . 

Since it has performing with Many NSA hacking tools its may developed for Hidden Communications with the Victims  which controllable via C&C server commands.

EternalRocks could represent a serious threat  to PCs with defenseless SMB ports presented to the Internet, if its creator could ever choose to weaponize the worm with ransomware, a Bank trojan, RATs, or whatever else.

Source: https://gbhackers.com/new-smb-network-worm-microbotmassivenet-using-7-nsa-hacking-tools-wannacry-using-only-two/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: