Cryptocurrency miner found armed with same exploits as WannaCrypt

Marco Green
May 19, 2017

After the WannaCry ransomware infected more than 300,000 computers worldwide in an unprecedented cyber-attack over the weekend, cyber-security firm Proofpoint discovered a new attack called Adylkuzz.

"'WannaCry" and "Adylkuzz' show how important security patches are in building and maintaining those effective defences, and why regular patching plans to mitigate environment vulnerabilities need to become a higher priority", added Steve Grobman, Senior Vice President and Chief Technology Officer, McAfee. But Adylkuzz isn't interested in sharing an affected computer that's capable of communicating over Microsoft's Microsoft Server Message Block (SMB).

With Adylkuzz, instead of locking the victims' computer with ransomware, the malware turns infected computers into a botnet of "miners", funneling large sums of digital currency.

Perianne Boring of the Digital Chamber of Commerce, a Washington, D.C. -based trade association representing the blockchain industry, defended the Bitcoin community's efforts to coordinate with law enforcement following the WannaCry attacks but told ABC News her organization does not work with Monero.

"As disruptive as WannaCry has been to vulnerable organisations, more deadly attacks that don't announce their presence, like the cryptocurrency miner Adylkuzz, go undetected", Brian Vecci from Varonis told CNET.

"There are others, but these are the bad ones that spread like a worm", Kalember says. "However, it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24".

Proofpoint said it has detected infected machines that have transferred several thousand dollars worth of Monero.

Proofpoint said that symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance, effects which some users may not notice immediately.

After the Shadow Brokers published the NSA tools cache in mid-April, Proofpoint was on the lookout for signs that hackers would try to make use of those vulnerabilities. Proofpoint claims the hackers have reaped well upwards of $US44,000 in Monero over the course of the attack, which is still ongoing. Security researchers recommend updating Windows machines to Microsoft's latest patches.

While the WannaCry ransomware hit the world in a frenzy, the next wave of hacks using the same tactics is much quieter.

"There are no telltale clues that we've been able to identify", Kalember says of Adylkuzz.

The world is yet to overcome the shock of the "WannaCry" ransomware attack which wreaked havoc in 150 countries and here comes another threat - the Adylkuzz Cryptocurrency Mining Malware.

The interesting thing about the Adylkuzz malware, Huss said, is that it prevented other viruses from infecting the computer it's on because it wanted to remain undetectable for as long as possible - that means it prevented WannaCry from ransoming those computers. While mining, the attacker uses the computer's resources - its processor and/or graphics card-and performs complicated computations, which creates new Monero coins.

Other reports by Click Lancashire

Discuss This Article