Adylkuzz CoinMiner Spreading Like WannaCry

By on

The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and in a few others by our fellow McAfee researchers.

Today we learned that another malware family is using the same exploit to spread itself to vulnerable machines. The malware Adylkuzz is a CoinMiner malware, which means that it employs—without user consent—machine resources to mine coins for virtual currencies. This specific variant was used to mine Monero coins.

This CoinMiner is not a new variant. We have seen samples as old as October 2014, but it has increased in usage since April. Online reports mention that this malware have infected machines after a successful exploitation of the MS17-010 vulnerability followed by the installation of the backdoor malware EternalBlue/DoublePulsar.

Adylkuzz has not changed much in all these years, as we can see by comparing the code among the different waves. For example, the following graphs represent code differences between the October 2014 variant and the first wave starting in April this year:

The number of functions that changed was very small:

  • Identical functions: 1,553
  • Matched functions: 18
  • Unmatched functions: 167

The same can be seen between the April variant and the latest samples received:

  • Identical functions: 1,617
  • Matched functions: 0
  • Unmatched functions: 178

Because the malware has not changed and does not contain any code to exploit the SMB v1 vulnerability, we believe that some actor is leveraging the vulnerability by scanning remote hosts using a tool such as Metasploit and installing the CoinMiner malware via the DoublePulsar backdoor. A porting of the MS17-010 exploit is already available for Metasploit.

As this is old malware, McAfee has long had detection for it. We detect most of the samples as Packed-GV!<partial_md5> and Raiden detection RDN/Generic.grp.

Customers might also want to follow the generic guidelines for blocking, whenever possible, the network ports used by the exploit (TCP/445 and UDP/137) to avoid further infections.

We will update our readers about this malware as we learn more.

Leave a Comment

Similar articles

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is ...
Read Blog
If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long ...
Read Blog