The “Adylkuzz” botnet is a cryptocurrency miner. It infects victims’ computers and makes them secretly mine a cryptocurrency called Monero to make money for the attackers — “and it has been successful,” according to Proofpoint, a Calif-based cybersecurity firm. “…it’s rapidly growing, suggesting that this attack may be larger in scale than WannaCry.”
Adylkuzz is also extremely difficult to trace. That’s because it has no user interface – you’re likely not going to be aware that your machine has been infected.
The malware can be very troublesome for businesses because it causes a loss of access to shared Windows resources and degradation of PC and server performance.
Adylkuzz actually predates WannaCry. It has been attacking computers since May 2nd and even possibly April 24th – way earlier than the spread of WannaCry, according to the report from Proofpoint.
One of the key characteristics of the attack is that Adylkuzz shuts down the Microsoft Server Message Block (SMB) networking function.
Proofpoint is urging organizations to make sure their SMB has been patched with the SMB update released by Microsoft last month because unpatched PCs and servers will remain vulnerable to the attack.
NSA leaks, Bitcoins, and drug money
As it was with WannaCry, Adylkuzz has been linked to vulnerabilities reported to have been stockpiled by the United States National Security Agency (NSA).
“The newly revealed attack uses the same recently NSA-leaked hacking tools and patched Microsoft vulnerability, but in a stealthier way and to different ends,” according to Ryan Kalember, senior vice-president of cybersecurity strategy at Proofpoint.”Two major attack campaigns have now employed the sophisticated NSA-leaked vulnerabilities and we expect others will follow.”
He said Adylkuzz is “more profitable for cyber criminals.”
“It makes infected users unwitting participants in providing funding for their attackers. Targeted machines are used to mine for the Monero cryptocurrency,” said Kalember. “Monero is a popular alternative to Bitcoin recently adopted by the AlphaBay darknet market to trade in drugs, stolen credit cards, and counterfeit goods.”
Proofpoint researchers said cyber criminals use the exploit EternalBlue to infect machines with the backdoor DoublePulsar.
DoublePulsar then downloads and runs Adylkuzz from another host.
Once running, Adylkuzz will stop any potential instances of malware (including itself) from running. It will block SMB communication to avoid further infection of the machine,
Adylkuzz then downloads the mining instructions and, cryptominer, and cleanup tools.
Adylkuzz mines for Monero. Monero is similar to Bitcoin “but with enhanced anonymity capabilities,” according to Proofpoint. It was adopted by the AlphaBay darknet market, described by law enforcement authorities as “a major underground website known to sell drugs, stolen credit cards, and counterfeit items.”
How much could Adylkuzz be costing victims
The whole process might be complicated but rewards miners pretty well.
Currently, 7.58 Moneros is equivalent to US$205 at the current exchange rate.
In one of the Monero addresses associated with an Adylkuzz attack identified by Proofpoint, the hash rate shows just over $22,000 was paid out before the mining stopped.
Proofpoint said the miners appear to be switch address to avoid having too many Moneros paid to a single address. The company found another address was paid $7,000 and yet another received $14,000.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…