Posted on May 17, 2017 at 2:22 PM
Researchers have discovered a stealthy botnet used for mining cryptocurrency. It appears that this botnet used the same exploit as the WannaCry ransomware that terrorized over 150 countries during the weekend. The problem is that the botnet was organized before the ransomware outbreak, and not only that, but it seems that it actually stopped WannaCry on some devices.
WannaCry infected over 200,000 devices in only a few days, locked them down and demanded payment. It was very loud, public, and noticeable. On the other hand, beneath the surface, another malware was working its own attack. Adylkuzz, a mining malware, has also made its move, and researchers discovered that this stealthy miner managed to go unnoticed because it was quietly mining Monero, one of the popular cryptocurrencies.
Kafeine, a Proofpoint’s researcher, claims that this malware started with its attacks back around April 24. It infected the computers by using the very same NSA’s EternalBlue exploit, and through it targeted Microsoft’s SMB networking protocol. It’s even believed that this attack might be even larger than WannaCry.
Microsoft has stated that WannaCry spreads in two ways: it either infects unpatched computers with a worm-like behavior, or it scans the internet to find connected but vulnerable machines. Adylkuzz only scans for the machines that are exposed, and then it sneaks in.
Adylkuzz might not have even been discovered for a long time if it wasn’t for WannaCry. While the researchers were probing WannaCrypt, they accidentally stumbled upon Adylkuzz. Not a ransomware, but a mining botnet instead. Surprisingly, it turned out that computers that were infected with Adylkuzz actually managed to resist WannaCry. This was possible because the operators of the botnet ‘closed the door behind them’.
Kafeine has said that “Once Adylkuzz has been launched on a machine, if Adylkuzz succeeds in closing SMB communication, which it did in all my runs, the machine can’t be infected by WannaCry through SMB through its ‘worm’ capabilities until the owner undoes what Adylkuzz did.”
Despite Adylkuzz being less destructive, it’s still a stealing malware. Three Monero addresses were found to be connected to this attack, and they’ve generated $7,000, $14,000, and $22,000. All three of these addresses were banned today by an unknown crypto-pool.
Kafeine has explained that this malware scans the internet for an unprotected TCP port 445, and uses it as an entrance to the device. It exploits the flaw with EternalBlue, and then infects computers with DoublePulsar, which then downloads Adylkuzz. That’s when the malware itself takes control, locks SMB communications, determines the IP address and downloads crypto miners, cleanup tools, and its instructions.