Security researchers at Proofpoint just revealed that there’s been another attack that used the same exploits deployed in the WannaCry global ransomware outbreak. More particularly, Proofpoint’s Kafeine researcher says that the EternalBlue exploit has been used together with a backdoor outlined as DoublePulsar. Both of them were deployed in the WannaCry operation. Instead of ransomware, however, this other campaign was distributing cryptocurrency mining software identified as Adylkuzz.
Technical Details about Adylkuzz WannaCry
Proodpoint says that they discovered “another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz.“
Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.
The researchers believe that the Adylkuzz attack started between April 24 and May 2. Similar to the WannaCry ransomware campaign, this attack was also quite successful targeting machines that hadn’t yet installed Microsoft updates from March that addressed the exploited vulnerabilities.
q In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.
Loss of access to shared Windows resources and degradation of PC and server performance are among the top symptoms of this malware.
Several large organizations also reported network issues that were originally attributed to the WannaCry campaign, the researchers note. These problems organizations were having are most likely triggered by Adylkuzz activity, as there was no report of ransom notes. Worse is that this attack seems to be ongoing and even though it hasn’t received much attention, it’s certainly “quite large and potentially quite disruptive”.
The Adylkuzz attack is initiated from several virtual private servers known to be massively scanning the Internet on TCP port 445 for potential victims. Once the machine is successfully exploited via EternalBlue, it is then infected with the DoublePulsar backdoor. The next stage of the attack is the download and activation of Adylkuzz which is run from another host. Once the malware is running it will first stop any potential instances of itself already running and will block SMB communication to avoid further infection, the researchers explain in their report.
Finally, Adylkuzz determines the public IP address of the victim and downloads the mining instructions, the cryptominer, and some cleanup tools. Also, there are multiple Adylkuzz command and control servers hosting the cryptominer binaries and mining instructions at any time.
Adylkuzz Is Being Used to Mine Monero Cryptocurrency
Monero (XMR) is advertised as a secure, private, untraceable currency. It is open-source and freely available to all. With Monero, you are your own bank. According to Monero’s official website, only you control and are responsible for your funds, and your accounts and transactions are kept private from prying eyes.
Earlier this year, we wrote about the criminal potential of Monero, which had drawn the attention of the Federal Bureau due to the possibility of criminal exploits.
Monero was launched in 2014 and has enhanced privacy features. It is a fork of the Bytecoin codebase and it uses identity-obscuring ring signatures. This is how the cryptocurrency conceals which funds have been sent in both directions – to whom and by whom.
The researchers say that they have identified more than 20 host setups to scan and attack. They are also aware of more than a dozen active Adylkuzz command and control servers. There are possibly many more Monero mining payment addresses and Adylkuzz command and control servers.
Because researchers from various security companies expect many more associated attacks to follow, it’s highly recommended that both organizations and home users patch their systems immediately to avoid any compromise.