Cryptocurrency Miner Named 'Adylkuzz' Attacks Networks Through EternalBlue and DoublePulsar Malware

While the infamous WannaCry Ransomware made headlines in the cybersecurity news in 2017, malicious actors had been simultaneously using the same exploits to spread a cryptocurrency miner named Adylkuzz. Like WannaCry, Adylkuzz used leaked NSA hacking tools to leverage a Microsoft Windows networking vulnerability and disable networking on infected devices, making researchers believe that Adylkuzz predated WannaCry attacks in many ways.

In 2017, a massive ransomware attack exploited EternalBlue to infect LANs and wireless networks worldwide. EternalBlue has been identified as part of the Shadow Brokers dump of NSA hacking tools. It discovers vulnerable computers and propagates malicious payloads by leveraging the Microsoft Server Message Block MS17-010 vulnerability on TCP port 445. Combing EternalBlue with another NSA backdoor tool called DoublePulsar, attackers installed the notorious ransomware threat WannaCry.

However, researchers detected another large-scale attack that also employed both EternalBlue and DoublePulsar to infect computers, yet this time with a cryptocurrency miner called Adylkuzz.

The discovery was made after deliberately exposing a lab machine vulnerable to EternalBlue. Cybersecurity researchers found out that the device got infected with DoublePulsar upon successful exploitation through EternalBlue. Then, DoublePulsar opened the way for Adylkuzz to run from another host. After blocking SMB communication, the miner determined the victim’s public IP address and downloaded the mining instructions along with certain cleanup tools. Adylkuzz has been used to mine the Monero cryptocurrency in this particular instance. Observing one of the several Monero addresses associated with this attack reveals that the mining ceased after $22,000 was paid to that address. The mining payments per day associated with one specific address also show that the attackers regularly switched between several addresses to avoid too many Monero coins being transferred to a single address.

Common symptoms of Adylkuzz include lost access to shared Windows resources and deteriorating PC performance. In several cases of suspected WannaCry attacks on large-scale corporate networks, the lack of a ransom note implies that the reported networking issues were actually associated with Adylkuzz activity. Researchers even claim that the Adylkuzz install statistics suggest a much more significant impact than the WannaCry attack as the miner shuts down SMB networking on affected computers and thus prevents the installation of additional malware threats through the same vulnerability. Thus, Adylkuzz may have actually limited the WannaCry propagation during that period. Over 20 hosts to scan and attack have been identified during the investigation, along with over a dozen active Adylkuzz Command-and-Control Servers.

Currently, the vulnerabilities exploited by the leaked EternalBlue and DoublePulsar hacking tools have been patched, so individuals and organizations are urged to keep their Windows computers up to date at all times.