Kevin MageeThink you got off scot-free with this whole WannaCry business? Well, it turns out that you might be immune to infection by WannaCry because you’ve already been infected by Adylkuzz. #irony
Last week, the WannaCry ransomware attack made headlines around the world as it spread at an unprecedented and almost mindboggling fast pace, infecting thousands of computers worldwide. Now, the next wave of attacks using the same tactics and techniques is underway. In fact, it’s already been active for weeks—and is quietly getting bigger, too.
Proofpoint claims the Adylkuzz attack likely predates the WannaCry attack by several weeks and may have begun as early as April 24. Much like WannaCry, Adylkuzz now possibly affects hundreds of thousands of PCs and servers worldwide and spreads leveraging the same exploits—EternalBlue and DoublePulsar—that were released by the Shadow Brokers and allegedly stolen from the NSA.
Unlike WannaCry, however, Adylkuzz is not ransomware. While Adylkuzz infects computers through similar techniques as WannaCry, instead of making a lot of noise and encrypting all of the data on a user’s computer and demanding a ransom to restore access, it hides in the background and digitally makes money by installing a cryptocurrency program otherwise known as a “coin miner.”
What Are the Symptoms of an Adylkuzz Infection?
Adylkuzz doesn’t want to be found and so will do everything possible to evade detection and go unnoticed by the user. It doesn’t interfere at all with a user’s ability to use an infected computer, but there are some tell-tale signs of infection that are more subtle than WannaCry’s bright red ransom note. For example, symptoms could include loss of access to shared Windows resources such as network drives and printers as well as a general and unexplained sluggishness or slowness of overall system performance.
Adylkuzz Isn’t Ransomware. It’s a “Coin Mining” Botnet.
So why is Adylkuzz so stealthy and what’s it doing with your computer?
Unlike WannaCry, Adylkuzz doesn’t want your money. It wants to use your computer to mine Monero coins. When it installs, Adylkuzz uses a computer’s resources, its processor and/or graphics card to perform complex computations that “mine” new Monero coins, a cryptocurrency similar to Bitcoin. At the time of this writing, one Monero coin is worth $31.3575262 USD and the entire Monero cryptocurrency has a market cap of $454,268,360 USD. So even though you may have never heard of it, it’s serious business.
Running a coin miner on a single computer like yours, for example, wouldn’t likely result in much of a financial gain. However, combining thousands, tens of thousands or even hundreds of thousands of infected computers into a single botnet that can be controlled by cybercriminals could be lucrative.
How Does the Adylkuzz Attack Actually Work?
Around since about October 2014, Adylkuzz has seen a resurgence and began accelerating its infection rates substantially in April of this year.
The Adylkuzz attack is launched from multiple virtual private servers that scan the Internet for vulnerabilities and make it possible to install the Adylkuzz miner. When a computer or server on the Internet is identified as vulnerable to the EternalBlue exploit, the malware targets the system for infection with DoublePulsar, which then downloads and runs Adylkuzz.
This is where it gets interesting. Adylkuzz not only terminates any pre-existing versions of itself on a target machine, it also deploys cleanup tools to mask itself. This includes blocking SMB network communications with other machines to prevent any further malware infections from disrupting its operations. Not only does this prevent other malware and ransomware attacks from using the same techniques to infect the system, it also prevents cybersecurity professionals from identifying that these computers were already infected.
Here’s a great example of this in action. While researching WannaCry, Proofpoint exposed a lab machine vulnerable to the EternalBlue attack on the Internet as a honeypot. It was immediately and unexpectedly infected by Adylkuzz within 20 minutes. They repeated the experiment several times with the same result.
Why Is Adylkuzz Potentially a Bigger Problem Than WannaCry?
For starters, Adylkuzz is clearly being run by professionals. Unlike WannaCry, which has attracted an Incredible amount of attention from both the media and law enforcement, Adylkuzz has quietly gone about its business infecting systems at a similar pace unnoticed.
Just Google WannaCry and Adylkuzz to see the difference for yourself.
As a criminal business venture, Adylkuzz is doing much better, too. Highly sophisticated and automated versus the amateurish execution and manual processes that have limited WannaCry’s profits to a mere $92,896.91 as of May 19 at 11 a.m. EST, Adylkuzz had made . . . well, no one knows for sure how much money it’s made.
Proofpoint, however, claims the system is set up in a way to avoid paying too many Monero coins to a single address, and has easily found several addresses that have received $7,000, $14,000, and $22,000 and says there are “many more.” This indicates that the creators of Adylkuzz have avoided the collection and laundering problems that plague WannaCry and, by doing so, have also made it extremely difficult to determine just how much money they are making.
Another concern is that users and companies who were “lucky” enough to have avoided WannaCry may have been spared because of a previous Adylkuzz infection that protected them. This may encourage complacency in patching and allow Adylkuzz to continue to go undetected for weeks, months or even years on older systems.
Lastly, the creators of Adylkuzz appear to have iterated their attack vector to include the specific exploits that also made WannaCry possible and went unnoticed by security researchers for weeks. It’s possible that without the noise created by WannaCry, Adylkuzz may have continued to ply its criminal trade unnoticed for some time.
This begs the questions: What other exploits have they incorporated into their cybercriminal arsenal? And what else have they already deployed that we’re unaware of?
Originally posted at InfoSecIsland.
