Unfortunately for users who haven’t patched their systems yet after the WannaCry ransomware campaign, there has been an increase in attempts to abuse the EternalBlue exploit in the past few days.
The most recent example comes from this morning, when a new worm, dubbed BlueDoom, was caught trying to exploit EternalBlue on a honeypot. The analysis done on BlueDoom hints that cyber criminals may be preparing to integrate an array of different exploits for an attack that combines a full set of digital weapons.
BlueDoom is different from WannaCry because it shows a long-term intent to make use of vulnerabilities stemming from virtually all Shadow Brokers leaks containing Windows exploits. BlueDoom disguises as WannaCry, but it’s a completely different type of worm that does not drop ransomware.
At the moment, BlueDoom seems focused on establishing a launching pad for future attacks.
The payload includes, among other things, components for installing TOR, which the worm uses as a C&C communication channel. This is where it retrieves the second stage of the payload.
The main component is called “taskhost.exe” and has approximately 4.6MB in size (see the VirusTotal report).
Upon infection, BlueDoom (the internal name is EternalRocks), goes dormant for 24 hours. In the next stage, the worm connects to a TOR Gateway (sanitized):
https [:] //ubgdgno5eswkhmpy [.] Onion / updates / shadowsinstalled? Version = 1.55
From the file properties, we find the name EternalRock:
To ensure that the first payload is not run more than once on a vulnerable client or server, BlueDoom creates the following mutex:
Unlike WannaCry, this worm does not have a “kill switch”. It, however, includes an arsenal of NSA leaked exploits: Architouch, Doublepulsar, EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Smbtouch.
These are dropped to the c: config folder with the following filenames:
It also drops the following in the c: payloads folder:
It seems obvious that the payloads are intended for both 32 bit and 64 bit Microsoft Windows versions.
In the C: bins folder, the following elements are dropped:
As you can see, this is a dangerous arsenal of exploits and malicious code that can fuel the distribution of BlueDoom/EternalRock. This is something the entire security industry feared because it could set the context for it to become a widespread infection, maybe even bigger than WannaCry.
The BlueDoom worm consists of two modules:
1. A first-stage “rocket”, carried by the EternalBlue exploit.
2. And a second phase that drops the main component of the infection, which currently has a detection rate of 13/61 on VirusTotal.
When there are enough zombie computers in the C&C server, the complete infection arsenal is deployed.
You can prevent the BlueDoom worm from running by creating a process with the following mutex value “8F6F00C4-B901-45fd-08CF-72FDEFF”.
The TOR gateway and C&C domains are blocked in Heimdal PRO and Heimdal CORP, which prevents the main component of the infection from being downloaded.
We continue to urge both home users and companies to patch their systems as fast as possible! In order to provide a helping hand, we’ve created a guide to help you get this done faster:
*This article features cyber intelligence provided by CSIS Security Group researchers.
Powered by WPeMatico