Security Alert: How the BlueDoom Worm Uses the Leaked NSA EternalBlue Exploit
Unlike WannaCry ransomware, this worm is playing the long game
Unfortunately for users who haven’t patched their systems yet after the WannaCry ransomware campaign, there has been an increase in attempts to abuse the EternalBlue exploit in the past few days.
The most recent example comes from this morning, when a new worm, dubbed BlueDoom, was caught trying to exploit EternalBlue on a honeypot. The analysis done on BlueDoom hints that cyber criminals may be preparing to integrate an array of different exploits for an attack that combines a full set of digital weapons.
BlueDoom is different from WannaCry because it shows a long-term intent to make use of vulnerabilities stemming from virtually all Shadow Brokers leaks containing Windows exploits. BlueDoom disguises as WannaCry, but it’s a completely different type of worm that does not drop ransomware.
At the moment, BlueDoom seems focused on establishing a launching pad for future attacks.
The payload includes, among other things, components for installing TOR, which the worm uses as a C&C communication channel. This is where it retrieves the second stage of the payload.
The main component is called “taskhost.exe” and has approximately 4.6MB in size (see the VirusTotal report).
Upon infection, BlueDoom (the internal name is EternalRocks), goes dormant for 24 hours. In the next stage, the worm connects to a TOR Gateway (sanitized):
https [:] //ubgdgno5eswkhmpy [.] Onion / updates / shadowsinstalled? Version = 1.55
From the file properties, we find the name EternalRock:
0050779E CompanyName
005077B8 Microsoft
005077D2 FileDescription
005077F4 EternalRocks
00507816 FileVersion
00507830 1.0.0.0
To ensure that the first payload is not run more than once on a vulnerable client or server, BlueDoom creates the following mutex:
BaseNamedObjects \ {8F6F00C4-B901-45fd-08CF-72FDEFF}
Unlike WannaCry, this worm does not have a “kill switch”. It, however, includes an arsenal of NSA leaked exploits: Architouch, Doublepulsar, EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Smbtouch.
These are dropped to the c: \ config \ folder with the following filenames:
Architouch.inconfig
Doublepulsar.inconfig
Eternalblue.inconfig
Eternalchampion.inconfig
Eternalromance.inconfig
Eternalsynergy.inconfig
Smbtouchv.inconfig
It also drops the following in the c: \ payloads \ folder:
ReflectivePick_x64.dll
ReflectivePick_x86.dll
x64.shellcode.out
x86.shellcode.out
It seems obvious that the payloads are intended for both 32 bit and 64 bit Microsoft Windows versions.
In the C: \ bins \ folder, the following elements are dropped:
trfo-0.dll
pcreposix-0.dll
taskmgr.exe
dmgd-4.dll
ssleay32.dll
zlib1.dll
trfo.dll
pcrecpp-0.dll
riar.dll
eteb-2.dll
etchCore-0.x64.dll
tibe.dll
trch-0.dll
etchCore-0.x86.dll
pcla-0.dll
ucl.dll
riar-2.dll
posh.dll
pcre-0.dll
winlogon.exe
cnli-1.dll
crli-0.dll
posh-0.dll
msdtc.exe
iconv.dll
wmiprvse.exe
zibe.dll
lsass.exe
etch-0.dll
libiconv-2.dll
adfw-2.dll
trfo-2.dll
xdvl-0.dll
cnli-0.dll
exma.dll
etebCore-2.x86.dll
C:\payloads\ReflectivePick_x86.dll
coli-0.dll
csrss.exe
C:\payloads\ReflectivePick_x64.dll
etebCore-2.x64.dll
adfw.dll
trch.dll
tucl-1.dll
tibe-2.dll
spooler.exe
dmgd-1.dll
trch-1.dll
tucl.dll
libeay32.dll
tibe-1.dll
libxml2.dll
libcurl.dll
esco-0.dll
As you can see, this is a dangerous arsenal of exploits and malicious code that can fuel the distribution of BlueDoom/EternalRock. This is something the entire security industry feared because it could set the context for it to become a widespread infection, maybe even bigger than WannaCry.
The BlueDoom worm consists of two modules:
1. A first-stage “rocket”, carried by the EternalBlue exploit.
2. And a second phase that drops the main component of the infection, which currently has a detection rate of 13/61 on VirusTotal.
When there are enough zombie computers in the C&C server, the complete infection arsenal is deployed.
You can prevent the BlueDoom worm from running by creating a process with the following mutex value “8F6F00C4-B901-45fd-08CF-72FDEFF”.
The TOR gateway and C&C domains are blocked in Heimdal PRO and Heimdal CORP, which prevents the main component of the infection from being downloaded.
We continue to urge both home users and companies to patch their systems as fast as possible! In order to provide a helping hand, we’ve created a guide to help you get this done faster:
How to Apply the Windows Update that Patches the EternalBlue SMB Exploit
*This article features cyber intelligence provided by CSIS Security Group researchers.