Home / malware TrojanDownloader:Win32/Eterock.A
First posted on 20 July 2019.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Eterock.A is also known as W32.Eternalrocks, MicroBotMassiveNet.
Explanation :
Installation
This malware consists of several files. It will first download and install the .Net framework and the Tor browser. It will then drop or download two main programs masquerading as svchost.exe and taskhost.exe. The svchost.exe creates persistent scheduled tasks to run itself and taskhost.exe. It also adds Windows Firewall rules to allow the malicious processes and Tor browser to listen or connect through TCP and UDP. It also communicates with its command and control (C&C) server on the Tor network to download files or retrieve further instructions. Taskhost.exe is the exploit component of the malware and attempts to spread itself by exploiting remote machines using known SMB exploits from the Shadow Brokers exploit dump (ArchiTouch, DoublePulsar, EternalBlue, EternalChampion, EternalRomance, EternalSynergy, and SMBTouch).
For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010 if you have not already done so.
The malware will attempt to download and install the following files from the following locations:
hxxp://download.microsoft.com/download/5/6/7/567758a3-759e-473e-bf8f-52154438565a/dotnetfx.exe hxxp://download.microsoft.com/download/a/3/f/a3f1bf98-18f3-4036-9b68-8e6de530ce0a/NetFx64.exe hxxp://archive.torproject.org/tor-package-archive/torbrowser/4.0.1/tor-win32-tor-0.2.5.10.zip hxxp://api.nuget.org/packages/taskscheduler.2.5.23.nupkg hxxp://api.nuget.org/packages/sharpziplib.0.86.0.nupk
It drops and writes files to the following locations:
C:Program FilesMicrosoft Updatesin C:Program FilesMicrosoft Updatesconfigs C:Program FilesMicrosoft Updatespayloads C:Program FilesMicrosoft Updatesshawdowbrokers.zip C:Program FilesMicrosoft Updatessvchost.exe C:Program FilesMicrosoft Updates askhost.exe C:Program FilesMicrosoft UpdatesTemp or.zip C:Program FilesMicrosoft UpdatesTor or.exe C:Program FilesMicrosoft Updates orunzip.exe
It communicates with the C&C server on the Tor network:
hxxp://ubgdgno5eswkhmpy.onion/updates/info?id= hxxp://ubgdgno5eswkhmpy.onion/updates/download?id=
It can configure and listen on a Tor hidden service, including:
HiddenServicePort 57480 127.0.0.1:41375
It adds the following Firewall rules for its files and open ports:
Microsoft Update Helper Microsoft Update Installer Microsoft Update Service Open TCP Port Open UDP Port
It can add a firewall rule named "Malware SMB Block" to block incoming TCP on port 445.
Payload
Downloads malware
This threat can download other malware onto your PC. It downloads two main programs masquerading as svchost.exe and taskhost.exe.
Taskhost.exe is the exploit component of the malware and attempts to spread itself by exploiting remote machines using known SMB exploits from the Shadow Brokers exploit dump (ArchiTouch, DoublePulsar, EternalBlue, EternalChampion, EternalRomance, EternalSynergy, and SMBTouch).
Connects to a remote host
We have seen this threat connect to a remote host, including: hxxp://ubgdgno5eswkhmpy.onion/updates/info?id= hxxp://ubgdgno5eswkhmpy.onion/updates/download?id= Malware can connect to a remote host to do any of the following: Download and run files (including updates or other malware) Receive instructions from a malicious hacker
This malware description was published using the analysis of files
SHA1 b05f2d07d0af1184066f766bc78d1b680236c1b3 TrojanDownloader:Win32/Eterock.A SHA1 7ffc0e123e6111e558fb99844d3b317694e419b2 Trojan:Win32/Eterock.A SHA1 8a2cfe220eebde096c17266f1ba597a1065211ab TrojanDropper:MSIL/Eterock.A
Analysis by Jody KooLast update 20 July 2019