With last week’s WannaCry attack drawing to a close, a new global malware called “Adylkuzz” has been discovered. This piece of malware silently turns the victims’ machines into cryptocurrency miners without their knowledge. Adding insult to injury is the fact that the NSA made the whole thing possible.
Made Possible by NSA Tools
The malware uses the same EternalBlue exploit originally developed by the NSA. In April, it was reported that hacker group TheShadowBrokers had stolen the tools from NSA servers and made them available to the public. The vulnerability takes advantage of a flaw in Windows’ file-sharing network protocol SMB, and potentially affects all versions of the operating system from XP onwards.
Once successfully connected to a target machine, the group would run another NSA tool, the DoublePulsar, which would give them “silent, persistent access to the system.” With this backdoor active, the attackers could install and run any application on the machine.
Adylkuzz was first detected by Sunnyvale-based Proofpoint on May 17, said Nicolas Godier, a researcher at the cybersecurity firm. “It uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose.”
Mining for Monero
In contrast with WannaCry’s ransomware approach, Adylkuzz sets up a background task that uses machine resources to mine the cryptocurrency Monero. The coins are then silently forwarded to the authors of the malware.
In the altcoin world, Monero is known for being more difficult to trace than Bitcoin. Transactions are encrypted such that a casual observer would not be able to read the origin, destination, or amounts contained within. Additionally, mining Monero does not involve the massive amount of computing resources that Bitcoin currently requires, making it the ideal choice for this kind of covert mining.
Perhaps the most dangerous aspect of the malware is that it’s invisible. Victims may notice that their machines are running more slowly than normal, and may find that they’ve lost access to shared Windows resources, but these are not necessarily symptomatic of a malware infection.
Uncertainty on Prevalence
Proofpoint estimates that the Adylkuzz spread is “much bigger than WannaCry,” and may have started as far back as April 27th.
Antivirus firm Symantec disputes this assessment however, stating in a blog that they had blocked over “44 million [EternalBlue attempts] and observed fewer than 200 machines with Adylkuzz infections.”
TheShadowBrokers reportedly have access to more NSA tools that took advantage of Windows 10 vulnerabilities, and have threatened to publish all of them, including network data from “Russian, Chinese, Iranian, or North Korean” nuclear missile programs.
Are you worried about this new malware? Share your thoughts down below.
Images via Pixabay, Denver Post