Weeks before the WannaCry ransomware worm tore up the internet by exploiting a leaked NSA exploit, another strain of malware was already doing it. That malware, Adylkuzz, is a cryptocurrency miner that, like WannaCry, has likely infected hundreds of thousands of computers across the globe.
Though the WannaCry rampage didn’t happen until May 12, the hacking group known as Shadow Brokers leaked NSA exploit tools a month before. SophosLabs and others have concluded that WannaCry spread with the help of the NSA’s EternalBlue Exploit (CC-1353). The exploit targets a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.
Adylkuzz has used that and another exploit divulged in the Shadow Brokers leak called DoublePulsar. Fortunately, SophosLabs has been detecting and blocking it from harming customer computers.
Below the radar
Researchers at Proofpoint said the Adylkuzz attack is designed to generate digital cash. It wasn’t previously discovered because, unlike WannaCry, it allows computers to operate while creating the digital cash in the background. In an interesting twist, Proofpoint said Adylkuzz shuts down SMB networking to block infections by other malware, including WannaCry. That may have actually helped to limit WannaCry’s spread.
From Proofpoint’s report:
The attack is launched from several virtual private servers which are massively scanning the internet on TCP port 445 for potential targets.
Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.
It appears that at any given time there are multiple Adylkuzz command and control (C&C) servers hosting the cryptominer binaries and mining instructions.
Gimme all your Monero
Though Bitcoin tends to be the cryptocurrency of choice in most ransomware attacks, Adylkuzz is designed to collect Monero. This is the same cryptocurrency sought in the so-called “Kirk” ransomware campaign Naked Security reported on a couple months ago.
That strain of ransomware, outlined in a report by SophosLabs researcher Dorka Palotay, appends .kirked to the name of the files it encrypts. The ransom note that goes with it offers a program called Spock to decrypt the files.
Monero was also the cyptocurrency of choice for Mal/Miner-C malware, ransomware SophosLabs detects as Troj/Ransom-EJN.
Defensive measures
Whether it’s WannaCry or Adylkuzz, the best advice, especially given the wormy nature of these malware families, is to:
- Stay on top of all patch releases and apply them quickly, especially those released by Microsoft.
- If at all possible, replace older Windows systems with the latest versions.
And since these malware families are all about collecting cryptocurrency, it’s worth repeating our ransomware advice:
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
- Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
- Use Sophos Intercept X and, for home (non-business) users, register for Sophos Home Premium Beta, which stops ransomware in its tracks by blocking the unauthorized encryption of files.