Adylkuzz crypto-miner exploited EternalBlue and DoublePulsar weeks before WannaCry

by Jake Doevan - -

While the Internet was booming with numerous reports about the WannaCry attacks [1], another malicious program called Adylkuzz managed to pass by without major media coverage. The virus began spreading weeks before the first news about the worldwide Wanna Cry attacks reached the public. Looking at the program a bit closer it becomes apparent why this malware succeeded to stay out of the spotlight. The virus is incredibly stealthy, both in its way of infiltrating systems as well as running its processes on the already infected device. Thus, the users who get infected by it may have no idea their systems were broken into. This allows the parasite to operate on the infected device undetected for extended periods of time. Of course, more observant users would notice that their computers gradually became slower and the CPU usage is way higher than normal [2]. Other than that, the virus leaves no trace of its activity. Needless to say, consistency and stability are of key importance to Adylkuzz because this parasite belongs to the category of cryptocurrency miners — computer infections which exploit resources of the infected devices to generate profit for their creators. Most miners generate Bitcoins, but this malware focuses on the second most popular — Monero currency instead. According to the statistics, one computer can generate up to a few dollars per day, so, to achieve bigger profit, the criminals create botnets of zombie computers, connecting hundreds of even thousands of devices. From the moment it was first detected, Adylkuzz has already mined over 40,000 dollars in Monero. This sum is only expected to grow unless, of course, all Windows OS users patch up the MS17-010 vulnerability which this malware takes advantage of when infiltrating computers.

Picture of the Cryptominer Adylkuzz

Adylkuzz developers paved the way for other malware to exploit the MS17-010 vulnerability in Windows. Later, the same security gap allowed WannaCry to carry out the biggest ransomware attack the world has ever seen and steal more than 70,000 dollars from the victims worldwide. It is difficult not to notice the similarities between the two viruses: both of them use the same EternalBlue exploits and DoublePulsar backdoors to target computers. It seems that these tools which have been recently leaked from NSA’s database will serve cyber criminals for a while and we will have to step up our game in protecting our computers from potential breaches. Ironically, devices which are infected with Adylkuzz are less likely to be targeted by WannaCry-like viruses. The miner blocks Microsoft Server Message Block (SMB) which is necessary for the infamous ransomware to infiltrate PCs and execute data encryption process. Nevertheless, by no means does this imply that you should intentionally let the miner run on your computer just to shield you from other threats. Both of the viruses are dangerous in their own ways and must be terminated as soon as possible. 


Like us on Facebook