Think you got off scot-free in regards to this whole WannaCry business? Well, it turns out that you might be immune to infection by WannaCry because you’ve already been infected by Monero cryptocoin mining Adylkuzz. #irony
Last week the WannaCry ransomware attack made headlines around the world as it spread rapidly at an unprecedented and almost mindboggling pace, infecting thousands of computers worldwide. But the next wave of attacks using the same tactics and techniques is already underway. In fact, it’s been active for weeks now. And it’s quietly getting bigger too.
Proofpoint claims the Adylkuzz attack likely predates the WannaCry attack by several weeks and may have begun as early as April 24h. Much like WannaCry, Adylkuzz now possibly affects “hundreds of thousands of PCs and servers worldwide and is being spread leveraging the same exploits EternalBlue and DoublePulsar which were released by the Shadow Brokers and was allegedly stolen from the NSA.
Unlike WannaCry, Adylkuzz is not ransomware. While Adylkuzz infects computers through similar techniques as WannaCry, instead of making a lot of noise and encrypting all of the data on a user’s computer and then demanding a ransom to restore access, it hides in the background and digitally makes money by installing a cryptocurrency program otherwise known as a “coin miner”.
What are the symptoms of a Adylkuzz infection?
Adylkuzz doesn’t want to be found, so it will do everything possible to go unnoticed by the user and evade detection. It doesn’t interfere at all with a user’s ability to use an infected computer, however there are some tell-tale signs of infection that are a lot more subtle than WannaCry’s bright red ransom note.
Symptoms of this attack likely include loss of access to shared Windows resources such as network drives and printers as well as a general and unexplained sluggishness or slowness of overall system performance.
Adylkuzz isn’t ransomware, it’s a “coin mining” botnet
So why is it so stealthy and what is it doing with your computer?
Unlike WannaCry, Adylkuzz doesn’t want your money. It wants to use your computer to mine Monero coins.
When it installs, Adylkuzz uses the computer’s resources, its processor and/or graphics card to perform complex computations which “mine” new Monero coins. Monero, for those not in the know, is a cryptocurrency similar to Bitcoin. At the time of this writing, one Monero coin is worth $ 31.3575262 USD and the entire Monero cryptocurrency has a market cap of $ 454,268,360 USD, so even though you may have never heard of it, it’s serious business.
Running a coin miner on a single computer, like yours for example, wouldn’t likely result in much of a financial gain, however combining thousands, tens of thousands or even hundreds of thousands of infected computers into a single botnet that can be controlled by cybercriminals would likely be lucrative.
How does the Adylkuzz attack actually work?
Adylkuzz has likely been around since October 2014, however it has seen a resurgence and began accelerating its infection rates substantially in April of this year.
The attack is launched from multiple virtual private servers which scan the Internet for vulnerabilities that make it possible to install the Adylkuzz miner.
When a computer or server on the Internet is identified that is vulnerable to the EternalBlue exploit, the malware targets the system for infection with DoublePulsar which then downloads and runs Adylkuzz.
This is where it gets interesting… Adylkuzz then not only terminates any pre-existing versions of itself on a target machine, it also deploys cleanup tools to mask itself. This includes blocking SMB network communications with other machines to prevent any further malware infections from disrupting its operations.
Not only does this prevent other malware and ransomware attacks from using the same techniques to infect the system, it also prevents cybersecurity professionals from identifying that these computers were already infected.
Here’s a great example of this in action. While researching WannaCry, Proofpoint exposed a lab machine vulnerable to the EternalBlue attack on the Internet as a honeypot. It was immediately and unexpectedly infected by Adylkuzz within 20 minutes. They repeated the experiment several times with the same result…
Why is Adylkuzz potentially a bigger problem than WannaCry?
Well for starters, Adylkuzz is clearly being run by professionals. Unlike WannaCry, that has attracted an Incredible amount of attention from both the media and law enforcement, Adylkuzz has quietly gone about its business infecting systems at a similar pace unnoticed.
Just Google WannaCry and then Adylkuzz see the difference for yourself….
And as a criminal business venture, Adylkuzz is doing much better too. Highly sophisticated and automated, versus the amateurish execution and manual processes that have limited WannaCry’s profits to a mere $92,896.91 as of 11AM Eastern, May 19th, no one is really sure yet how much money Adylkuzz has made
Proofpoint however, claims the system is set up in a way to avoid paying too many Monero coins to a single address, but has easily found several addresses which have received $7,000, $14,000, and $22,000, respectively, and claims there are “many more.” This indicates that the creators of Adylkuzz have avoided the collection and laundering problems that plague WannaCry and by doing so have also made it extremely difficult to determine just how much money they are in fact making.
The other main concern is that users and companies who were “lucky” enough to have avoided WannaCry, may have been spared because of a pervious infection of Adylkuzz that protected them. This may encourage complacency in patching and allow Adylkuzz to continue for weeks, months or even years on older systems undetected.
Lastly, the creators of Adylkuzz appear to have iterated their attack vector to include the specific exploits that also made WannaCry possible and went unnoticed by security researchers for weeks. It’s possible that without the noise created by WannaCry, Adylkuzz may have continued to ply its criminal trade unnoticed for some time.
This begs the question… what other exploits have they incorporated into their cybercriminal arsenal and what else have they already deployed that we are unaware of at this time?