Adylkuzz Cryptocurrency Mining
Malware Spreading for Weeks Via EternalBlue/DoublePulsar

  

Attackers spread a Massive Ransomware attack worldwide

On Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlue exploit to rapidly propagate the malware over corporate LANs and wireless networks. EternalBlue, originally exposed on April 14 as part of the Shadow Brokers dump of NSA hacking tools, leverages a vulnerability (MS17-010) in Microsoft Server Message Block (SMB) on TCP port 445 to discover vulnerable computers on a network and laterally spread malicious payloads of the attacker’s choice. This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install the ransomware known as WannaCry.

Over the subsequent weekend, however, we discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest that this attack may be larger in scale than WannaCry: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.

Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance. Several large organizations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity. However, it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive.

The Discovery

In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.

The attack is launched from several virtual private servers which are massively scanning the Internet on TCP port 445 for potential targets. Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, crypto miner, and cleanup tools.

It appears that at any given time there are multiple Adylkuzz command and control (C&C) servers hosting the crypto miner binaries and mining instructions. In this attack, Adylkuzz is being used to mine Monero cryptocurrency. Similar to Bitcoin but with enhanced anonymity capabilities, Monero recently saw a surge in activity after it was adopted by the AlphaBay darknet market, described by law enforcement authorities as “a major underground website known to sell drugs, stolen credit cards and counterfeit items.” Like other cryptocurrencies, Monero increases market capitalization through the process of mining. This process is computationally intensive but rewards miners with funds in the mined currency, currently 7.58 Moneros or roughly $205 at current exchange rates.

One of several Monero addresses associated with this attack is shown in Figure 4. The hash rate shows the relative speed with which the specific associated instance of the botnet is mining Moneros, while the total paid shows the amount paid to this particular address for mining activities. In this case, just over $22,000 was paid out before the mining associated with this address ceased. Looking at the mining payments per day associated with a single Adylkuzz address, we can see the increased payment activity beginning on April 24 when this attack began. We believe that the sudden drop that occurred on May 11 indicates when the actors switched to a new mining user address (Figure 5). By regularly switching addresses, we believe that the actors are attempting to avoid having too many Moneros paid to a single address.

Statistics and payment history for a second payment address are shown in Figure 6. This address has had just over $7,000 paid to date. A third address shows a higher hash rate and a current payment total of over $14,000. We have currently identified over 20 hosts setup to scan and attack, and are aware of more than a dozen active Adylkuzz C&C servers. We also expect that there are many more Monero mining payment addresses and Adylkuzz C&C servers associated with this activity.

Conclusion

Like last week’s WannaCry campaign, this attack makes use of leaked NSA hacking tools and leverages a patched vulnerability in Microsoft Windows networking. The Adylkuzz campaign, in fact, predates WannaCry by many days. For organizations running legacy versions of Windows or who have not implemented the SMB patch that Microsoft released last month, PCs and servers will remain vulnerable to this type of attack. Whether they involve ransomware, cryptocurrency miners, or any other type of malware, these attacks are potentially quite disruptive and costly. Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and individuals patch their machines as soon as possible.

Acknowledgments

We want to thank:

  • Our friends at Trend Micro for input allowing us to add more IOCs
  • Cloudflare and Choopa for their immediate action upon notification.
  • @benkow_ for several inputs.

Chuck Reynolds
Contributor
Please click either Link to Learn more about TCC-Bitcoin.