May 22, 2017
How Adylkuzz uses the EternalBlue Exploit
WannaCry got all the attention over the past week, but another bit of malware has been more successful. It also has been running longer than the WannaCry epidemic. It is called Adylkuzz, by no means it as flashy of a name as WannaCry, but it uses the same attack vector to infect production machines. However, it has a slightly different take on monetizing the infection.
Let's talk about the attack vector. WannaCry brought to light the ways thieves can use NSA leaked exploits, like EternalBlue/DOUBLEPULSAR, to embed themselves in computers. Adylkuzz also uses EternalBlue, so at this point I would hope everyone reading this has patched their Windows OS. If not, stop what you are doing and run Windows Update...including Windows 2003 and XP. OK, now that you’ve got that taken care of, Adylkuzz spreads like WannaCry but its creators designed it to continually generate revenue as an alternative to a one-time payment.
There are a few ways where Adylkuzz has taken the EternalBlue exploit further than WannaCry ever did.
Adylkuzz stayed under the radar—It has been running for a while without drawing too much attention to itself. WannaCry let the world know that it need to update Windows to close the attack vector that EternalBlue used, but the people who released the EternalBlue exploit last February have recently released a treasure trove of other exploits that anyone can use, including the creators or copy cats of Adylkuzz.
Adylkuzz builds a constant stream of revenue—It never demands any money from users or encrypts data. Instead Adylkuzz installs a Monero cryptocurrency mining program and recruits the machine into a global mining botnet to send Monero constantly to the thieves. One Monero is valued at, currently, about $26 USD. Multiplied by the amount of computers infected, it has the potential to make millions, if it hasn’t already.
Further anonymity—WannaCry had three hard coded bitcoin wallets associated with ransom payments. Adylkuzz doesn’t bother with hard coding. Instead, it creates numerous wallets over time that max out to smaller sums of money.
More and more attacks that happen will be from exploits because they can spread easier than phishing schemes. Make sure to educate yourself and others as well as provide threat protection in depth. If you do nothing else, get a backup/business continuity solution to allow you to restore quickly and in the event of infection and notify your local FBI field office.