ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool EternalRomance

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: EternalRomance

NamesEternalRomance
CategoryExploits
Type0-day
Description(Microsoft) ETERNALROMANCE is a remote code execution (RCE) exploit against the legacy SMBv1 file sharing protocol. It takes advantage of CVE-2017-0145, which has been patched with the MS17-010 security bulletin. One might note that file sharing over SMB is normally used only within local networks and that the SMB ports are typically blocked from the internet at the firewall. However, if an attacker has access to a vulnerable endpoint running SMB, the ability to run arbitrary code in kernel context from a remote location is a serious compromise.

This exploit was written to remotely install and launch an SMB backdoor. At the core of this exploit is a type confusion vulnerability leading to an attacker offset controlled arbitrary heap write. As with almost any heap corruption exploit, the attacker must know or control the layout of the heap to consistently succeed. With SMB, most objects are allocated in the non-paged pool.
Information<https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:eternalromance>

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

Previous: EternalBlue
Next: ETUMBOT

All groups using tool EternalRomance

ChangedNameCountryObserved

APT groups

 CalypsoChina2016-Mar 2021 
 Turla, Waterbug, Venomous BearRussia1996-Feb 2021 

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key