The attackers behind WanaCrypt0r/WannaCry were not the only cybercriminals putting DoublePulsar and EternalBlue to use this weekend, as Proofpoint spotted the stolen NSA tools being used with the cryptocurrency miner Adylkuzz.
The Adylkuzz attack may not only have been larger than WannaCry, but could have been one of the mitigating factors that helped shut down that ransomware attack, wrote a Proofpoint security researcher who goes by the alias Kafeine. The mining campaign was after the cryptocurrency Monero.
“Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection,” he said.
The Adylkuzz campaign began sometime between April 24 and May 2. Because it started before WanaCryptor hit on May 12, Kafeine thinks some companies mistakenly believed they were being victimized by the ransomware when in fact it was Adylkuzz.
Some of the clues that a system is under attack by this malware include loss of access to shared Windows resources and slower PC and server performance. Like WannaCry, Adylkuzz takes advantage of Windows vulnerability MS17-010 on TCP port 445, Kafeine reported. The attack itself originates from several private servers that are scanning on port 445 for victims.
Once EternalBlue finds a target computer it installs the DoublePulsar backdoor which then injects Adylkuzz.
Proofpoint came across this attack when it was searching for WannaCry by setting up a computer vulnerable to EternalBlue.
“While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet,” he wrote.
Proofpoint was able to find several web addresses that received Monero deposits starting on April 24. About $43,000 in Monero was tracked being deposited.