Newsroom

A deep dive into Data Privacy: Unraveling EternalRocks Ransomware

February 7, 2024

During this data privacy week, we will be looking at the recent ransomware attack on KQ. This attack was steered by a ransomware group known as ransommex which have since been continually active. In this blog, we will be analyzing sample malware to get the gist of what really happens at a technical point when a user executes a malicious file up to complete compromise of the user’s system.

There are two ways to analyze malware samples: static or dynamic analysis. We will use static analysis on a malware sample called EternalRocks worm that you can find here. EternalRocks emerged as a significant threat in the realm of cybersecurity in the year 2017. By delving into the code and artifacts without executing this malware, we aim to unravel the secrets of it and understand its potential impact on digital landscapes which will equally compare to recent more improve malwares.
File analysis

On downloading the sample, we can extract it as follows; using the password “infected” without the quotes.

Figure 1: Extracting the malware from the archive.
Figure 1: Extracting the malware from the archive.

Using file utility, we can see that it is indeed a windows executable. This dictates that this file is meant to be executed on a windows environment. This makes sense as most corporates will run windows as their main backbone operating system.

Figure 2: File structure.
Figure 2: File structure.

On this file’s metadata, the hacking group that goes by the name Shadow Brokers hacking group, had implanted fake details to make the executable look like it’s a legit software from Microsoft in the eyes of a defender.

Figure 3: Malware file metadata.
Figure 3: Malware file metadata.

Code Review

We can open the malware sample of EternalRocks in ghidra for a thorough review. Ghidra is a free open-source reverse engineering tool which will help us understand the inner workings of this malware. This process will involve analyzing the logic, functions, and potential vulnerabilities embedded within the code. Additionally, we will scrutinize any obfuscation techniques employed to impede static analysis, unraveling the layers that conceal the true nature of this malware.

This malware being a network, work spreads through public SMB exploits that is, eternalblue, eternalchampion, eternalromance and eternalsynergy. First stage malware UpdateInstaller.exe downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from Internet, while dropping svchost.exe.

Figure 4: Malware downloads TaskScheduler.
Figure 4: Malware downloads TaskScheduler.
Figure 5: Malware downloads SharpZlib executable.
Figure 5: Malware downloads SharpZlib executable.

Figure 5 Malware downloads SharpZlib executable.After downloading the archives, they are unzipped as shown below and stored in the path “c:\\Program Files\\Microsoft Updates”. This is done for both files after they are downloaded.

Figure 6: Malware extracts the files downloaded.
Figure 6: Malware extracts the files downloaded.

Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C2 (ubgdgno5eswkhmpy.onion) communication requesting further instructions.

Figure 7: Malware executes svchost.exe file.
Figure 7: Malware executes svchost.exe file.

Second stage malware taskhost.exe is being downloaded after a predefined period (24h) from https://ubgdgno5eswkhmpy.onion/updates/download?id=PC and run. After initial run it drops the (contained) shadowbrokers.zip and unpacks directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 ports on Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from first stage for further C2 communication.

Figure 8: Malware saves the files needed in disk C as shown
Figure 8: Malware saves the files needed in disk C as shown

Host base indicators

The paths are:
c:\Program Files\Microsoft Updates\SharpZLib.zip
c:\Program Files\Microsoft Updates\svchost.exe
c:\Program Files\Microsoft Updates\installed.fgh
c:\Program Files\Microsoft Updates\ICSharpCode.SharpZipLib.dll
c:\Program Files\Microsoft Updates\Microsoft.Win32.TaskScheduler.dll
c:\Program Files\Microsoft Updates\SharpZLib\
c:\Program Files\Microsoft Updates\temp\tor.zip
c:\Program Files\Microsoft Updates\temp\Tor\
c:\Program Files\Microsoft Updates\required.glo
c:\Program Files\Microsoft Updates\taskhost.exe
c:\Program Files\Microsoft Updates\TaskScheduler.zip
c:\Program Files\Microsoft Updates\TaskScheduler\
c:\Program Files\Microsoft Updates\torunzip.exe – in older variants

For persistence the two scheduled tasks ServiceHost and TaskHost had multiple triggers.

Figure 9: Task list on windows system.png
Figure 9: Task list on windows system.png

Among the IOCs shared on the internet include:

23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64
589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31
64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15
70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d
94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97
9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1ba77
61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0
A7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392
Ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa
Aedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35b2ca
093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867
C4762489488f797b4b33382c8b1b71c94a42c846f1f28e0e118c83fe032848f0
C999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491
Cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30
D43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c
D86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5
E049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc
e77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d

Conclusion:

In conclusion, the static analysis of EternalRocks yields invaluable insights into its composition and functionalities. This knowledge empowers organizations to fortify their defenses and respond effectively to the ever-evolving landscape of cybersecurity threats. Ongoing vigilance and analysis remain paramount in safeguarding digital assets from emerging and sophisticated malware strains. Now that we have understood a high-level overview of how malware works, what can we do to protect ourselves?

Among the good habits recommended by malware researchers are:

  • Keeping software up to date – regular software updates ensure timely security patches.
  • Antivirus software – Use of antivirus software helps guard against known viruses and new ones through behavioral techniques.
  • Educating employees against attacks such as phishing etc. – users remain the weakest link up to date.

References:

https://www.bleepingcomputer.com/news/security/author-of-eternalrocks-smb-worm-calls-it-quits-after-intense-media-coverage/
https://www.computerweekly.com/news/450419337/EternalRocks-worm-combines-seven-leaked-NSA-attack-tools

 

 

Share Article