Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue

On Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlue exploit to rapidly propagate the malware overheen corporate Speer and wireless networks. EternalBlue, originally exposed on April 14 spil part of the Shadow Brokers dump of NSA hacking contraptions, leverages a vulnerability (MS17-010) te Microsoft Server Message Block (SMB) on TCP port 445 to detect vulnerable computers on a network and laterally spread malicious payloads of the attacker’s choice. This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install the ransomware known spil WannaCry.

Overheen the subsequent weekend, however, wij discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest that this attack may be larger te scale than WannaCry: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have ter fact limited the spread of last week’s WannaCry infection.

Symptoms of this attack include loss of access to collective Windows resources and degradation of PC and server spectacle. Several large organizations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, wij now believe that thesis problems might be associated with Adylkuzz activity. However, it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May Two and possibly spil early spil April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless fairly large and potentially fairly disruptive.

Ter the course of researching the WannaCry campaign, wij exposed a laboratorium machine vulnerable to the EternalBlue attack. While wij expected to see WannaCry, the laboratorium machine wasgoed actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. Wij repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it wasgoed enrolled ter an Adylkuzz mining botnet.

Figure 1: EternalBlue/DoublePulsar attack from one of several identified hosts, then Adylkuzz being download from another host – A hash of a pcap of this capture is available te the IOCs table

The attack is launched from several virtual private servers which are massively scanning the Internet on TCP port 445 for potential targets.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will very first zekering any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup instruments.

It shows up that at any given time there are numerous Adylkuzz instruction and control (C&,C) servers hosting the cryptominer binaries and mining instructions.

Figure Two shows the post-infection traffic generated by Adylkuzz ter this attack.

Figure Two: Post-infection traffic associated with the attack

Ter this attack, Adylkuzz is being used to mine Monero cryptocurrency. Similar to Bitcoin but with enhanced anonymity capabilities, Monero recently spotted a surge ter activity after it wasgoed adopted by the AlphaBay darknet market, described by law enforcement authorities spil “a major underground webstek known to sell drugs, stolen credit cards and counterfeit items.” Like other cryptocurrencies, Monero increases market capitalization through the process of mining. This process is computationally intensive but prizes miners with funds ter the mined currency, presently 7.58 Moneros or harshly $205 at current exchange rates.

Figure Trio shows Adylkuzz mining Monero cryptocurrency, a process that can be more lightly distributed across a botnet like that created here than ter the case of Bitcoin, which now generally requires dedicated, high-performance machines.

Figure Trio: Part of the behavioral analysis from an Adylkuzz-infected VM demonstrating it, among other things, closing SMB om and launching Monero Mining

One of several Monero addresses associated with this attack is shown ter Figure Four. The hash rate shows the relative speed with which the specific associated example of the botnet is mining Moneros, while the total paid shows the amount paid to this particular address for mining activities. Te this case, just overheen $22,000 wasgoed paid out before the mining associated with this address ceased.

Figure Four: One of several Monero addresses associated with income from Adylkuzz mining

Looking at the mining payments vanaf day associated with a single Adylkuzz address, wij can see the enhanced payment activity beginning on April 24 when this attack began. Wij believe that the unexpected druppel that occurred on May 11 indicates when the actors switched to a fresh mining user address (Figure Five). By regularly switching addresses, wij believe that the actors are attempting to avoid having too many Moneros paid to a single address.

Figure Five: Daily payment activity associated with a single Adylkuzz mining address

Statistics and payment history for a 2nd payment address are shown ter Figure 6. This address has had just overheen $7,000 paid to date.

Figure 6: A 2nd Monero address associated with income from Adylkuzz mining

A third address shows a higher hash rate and a current payment total of overheen $14,000 (Figure 7).

Figure 7: A third Monero address associated with income from Adylkuzz mining

Wij have presently identified overheen 20 hosts setup to scan and attack, and are aware of more than a dozen active Adylkuzz C&,C servers. Wij also expect that there are many more Monero mining payment addresses and Adylkuzz C&,C servers associated with this activity.

Like last week’s WannaCry campaign, this attack makes use of leaked NSA hacking contraptions and leverages a patched vulnerability te Microsoft Windows networking. The Adylkuzz campaign, te fact predates WannaCry by many days. For organizations running legacy versions of Windows or who have not implemented the SMB patch that Microsoft released last month, PCs and servers will remain vulnerable to this type of attack. Whether they involve ransomware, cryptocurrency miners, or any other type of malware, thesis attacks are potentially fairly disruptive and costly. Two major campaigns have now employed the attack contraptions and vulnerability, wij expect others will go after and recommend that organizations and individuals patch their machines spil soon spil possible.

Wij want to thank:

  • Our friends at Trend Micro for input permitting us to add more IOCs
  • Cloudflare and Choopa for their instant activity upon notification.
  • @benkow_ for several inputs.


Leave a Reply

Your email address will not be published. Required fields are marked *