Adylkuzz Malware That Could Spread More Than WannaCry
The last few days have been understandably exhausting for security teams around the globe due to the nasty ransomware WannaCry or WannaCrypt.
The malware spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We previously reported on this malware in our blog, and for some reason, you’re unfamiliar with it, read about it now before continuing here.
Today another malware has surfaced that is using the same exploit to spread itself to vulnerable machines. The malware Adylkuzz is a CoinMiner malware, which means that it employs—without user consent—machine resources to mine coins for virtual currencies. This specific variant was used to mine Monero coins.
This CoinMiner is not a new variant. According to McAfee, there have been samples as old as October 2014, but it has increased in usage since April. Online reports mention that this malware have infected machines after a successful exploitation of the MS17-010 vulnerability followed by the installation of the backdoor malware EternalBlue/DoublePulsar.
Adylkuzz has not changed much in all these years, as we can see by comparing the code among the different waves. For example, the following graphs represent code differences between the October 2014 variant and the first wave starting in April this year:
The number of functions that changed was very small:
- Identical functions: 1,553
- Matched functions: 18
- Unmatched functions: 167
The same can be seen between the April variant and the latest samples received:
- Identical functions: 1,617
- Matched functions: 0
- Unmatched functions: 178
Because the malware has not changed and does not contain any code to exploit the SMB v1 vulnerability, we believe that some actor is leveraging the vulnerability by scanning remote hosts using a tool such as Metasploit and installing the CoinMiner malware via the DoublePulsar backdoor. A porting of the MS17-010 exploit is already available for Metasploit.
This new malware campaign detected by Proofpoint could prove more widespread than Wanna Cry. Hundreds of thousands of PCs and servers worldwide according to Proofpoint because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) using that same vulnerability and end users will only notice their Windows machine is running slowly and that they don’t have access to shared Windows resources.
Connect with Secure Sense to protect data, improve your posture and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.