Adylkuzz: Another Large-Scale Cyberattack That Mines Monero Using Infected Computers Now Underway

in #security8 years ago (edited)

virus-1889413_1280.jpg

From Yahoo News and other sources, I just learned that another large-scale cyberattack is underway around the world, which uses the same computer vulnerabilities as WannaCry.

It's called Adylkuzz and it mines the cryptocurrency, Monero in the background, so the computer user doesn't really know it is there. The vulnerabilities associated with Windows that the WannaCry attackers used are called EternalBlue and DoublePulsar and these are what installs the cryptocurrency mining scripts. It appears that this Adylkuzz malware is larger than the WannaCry ransomware infection with hundreds of thousands of computers and servers now infected. It was discovered later than WannaCry because it exists silently in the background of the computer. It took a specialized test to even detect it. A lab was testing a computer infected with WannaCry when they discovered the Monero mining going on in the background.

Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance. Several large organizations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity. However, it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

It appears that at any given time there are multiple Adylkuzz command and control (C&C) servers hosting the cryptominer binaries and mining instructions. -Proofpoint

Some of the computers infected with the Adylkuzz virus have mined over $22,000 worth of Monero. And from the looks of it, this malware was going on well before the WannaCry ransomware was unleashed.

Wow, and if cryptocurrency had a bad name before, this is just making it worse!
Do you know of anyone or any company that is currently experiencing the WannaCry ransomware?

Sort:  

This looks like a blessing in disguise for Steem and its older brother! On top of it, it sure will expose the matter of crypto-currencies to the world at large.

Thanks for the great piece of actually you just shared with us. Namaste :)

This is part of the reason why so many people prefer to stay way from Cryptocurrencies. Thanks for sharing this important update @stellabelle.

Incredible... I can not believe it :-|

I made a video about that malware months ago, Monero even has a youtube video months ago of them speaking to coinbase about it, and very proud as it makes monero even more decentralized

i bet you did, since you make a video every day.

Well that's kinda sad and scary.... -_-

We have been seeing this kind of thing pretty much since Bitcoin became worth something in 2010. The only thing that tends to change is the cryptocurrency being mined by the botnet, and the infection vector.

With the absolutely enormous number of machines impacted by MS-17-010 (ETERNALBLUE) and the related DOUBLEPULSAR implant, its unsurprising that it is being used for infection/spreading. As for the choice of Monero, Monero mining is incredibly profitable if you are not paying for the resources being used (i.e. botnet mining).

Is your dash art contest still ongoing?
If so, how do you enter?

you already did! Thank you!!!!!!!

Should not install any thing from unreliable sources to prevent from WannaCry.

Btc & ltc was on botnets for a long time! at some forums also they had a guide to setup man on the middle attack on malls and other public areas !