Cryptocurrency miner Adylkuzz attack could be bigger than WannaCry

Statement von Steve Grobman, CTO, McAfee

Unterschleißheim, (PresseBox) - The attackers behind WanaCrypt0r/WannaCry were not the only cybercriminals putting DoublePulsar and EternalBlue to use this weekend, as Proofpoint spotted the stolen NSA tools being used with the cryptocurrency miner Adylkuzz.

The Adylkuzz attack may not only have been larger than WannaCry, but could have been one of the mitigating factors that helped shut down that ransomware attack, wrote a Proofpoint security researcher who goes by the alias Kafeine. The mining campaign was after the cryptocurrency Monero.

“Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week's WannaCry infection,” he said.

The Adylkuzz campaign began sometime between April 24 and May 2. Because it started before WanaCryptor hit on May 12, Kafeine thinks some companies mistakenly believed they were being victimized by the ransomware when in fact it was Adylkuzz.

Some of the clues that a system is under attack by this malware include loss of access to shared Windows resources and slower PC and server performance. Like WannaCry, Adylkuzz takes advantage of Windows vulnerability MS17-010 on TCP port 445, Kafeine reported. The attack itself originates from several private servers that are scanning on port 445 for victims.

Once EternalBlue finds a target computer it installs the DoublePulsar backdoor which then injects Adylkuzz.

Proofpoint came across this attack when it was searching for WannaCry by setting up a computer vulnerable to EternalBlue.

“While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet,” he wrote.

Proofpoint was able to find several web addresses that received Monero deposits starting on April 24. About $43,000 in Monero was tracked being deposited.

Press releases you might also be interested in

Weitere Informationen zum Thema "Sicherheit":

„Ich habe nichts zu verbergen!“

In Dis­kus­sio­nen zum The­ma Pri­vat­sphä­re im Web wird man früh­er oder spä­ter im­mer an die­sen Punkt kom­men: Ir­gend­je­mand wirft ge­nervt ein, er hät­te oh­ne­hin nichts zu ver­ber­gen, al­so kön­ne ihm die gan­ze De­bat­te auch herz­lich egal sein. An­hän­ger der Pri­vat­sphä­re ver­dre­hen jetzt vi­el­leicht re­sig­niert die Au­gen – die­sem Mit­bür­ger ist nicht mehr zu hel­fen, denn wer heu­te im­mer noch nicht be­grif­fen hat…


Subscribe for news

The subscribtion service of the PresseBox informs you about press information of a certain topic by your choice at a choosen time. Please enter your email address to receive the email with the press releases.

An error occurred!

Thank you! You will receive a confirmation email within a few minutes.

I want to subscribe to the gratis press mail and have read and accepted the conditions.