Security experts at ProofPoint security discovered that many machines can’t be infected by WannaCry because they have been already infected by Adylkuzz.
The recent WannaCry ransomware attack wasn’t the first to use the NSA-linked EternalBlue and DoublePulsar hacking tools.
Proofpoint researchers have discovered that the cryptocurrency miner Adylkuzz, was the first threat that used the EternalBlue exploit to trigger a vulnerability in the Server Message Block (SMB) protocol.
The botnet used the EternalBlue exploit to improve the malware propagation, meanwhile, the DoublePulsar backdoor was used to deliver a malicious payload on target machines.
Once the miner has infected a machine it will lose access to shared Windows resources and its performance slowly degrades, but most interesting thing is that the malware shuts down SMB networking to prevent infections with other malware.
This implies that machines infected by Adylkuzz could not be compromised by the WannaCry ransomware, the effects of the last mass-ransomware attack could have been more severe in absence of a threat that previously exploited the same flaw.
“Several large organizations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity. However, it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24.” wrote the security researcher Kafeine. “This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive.”
Kafeine speculates that the Adylkuzz malware has patched the vulnerability targeted by WannaCry, limiting the spreading of the ransomware.
Threat actors behind the Adylkuzz attack used several virtual private servers to power the attack, they exploited EternalBlue to compromise them, then the DoublePulsar backdoor is established to download and execute the Adylkuzz malware.
Once the Adylkuzz malware has infected a machine, the miner first stops any potential instances of itself and blocks SMB communication to avoid further infection.
The malicious code also determines the public IP address of the victim and then downloads the mining instructions, the Monero crypto miner, and cleanup tools.
“It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.” continues Kafeine.
“It appears that at any given time there are multiple Adylkuzz command and control (C&C) servers hosting the cryptominer binaries and mining instructions.”
The analysis of the mining payments associated with a Monero address used by the crooks suggests the attacks started on April 24, while on May 11, the actor supposedly switched to a new mining user address. Attackers received around $43,000 in payments to three distinct Monero addresses.
“We have currently identified over 20 hosts set up to scan and attack, and are aware of more than a dozen active Adylkuzz C&C servers. We also expect that there are many more Monero mining payment addresses and Adylkuzz C&C servers associated with this activity,” Kafeine added.