Adylkuzz: Monero Mining Botnet Formed Through Leaked NSA Tools

Jun 9, 2017
Vote on Hacker News

With the shock of several U.K.-based emergency rooms being knocked out of commission still fresh in the minds of citizens worldwide, ransomware continues to grow in popularity both as a household term and as a method of extortion. Some malware has, however, taken to a less confrontational and potentially more lucrative method of attack.

The NSA exploits EternalBlue and DoublePulsar that were released by a hacking collective known as the Shadow Brokers have been used in new cybersecurity attacks all over the globe. One such attack crippled ER and other medical facilities around the U.K. The malware used was called WannaCry.

According to Cisco, another form of malware came before WannaCry and likely helped to limit its spread. Adylkuzz was suspected of operating in the dark for days to weeks before discovery. Adylkuzz also made use of the leaked NSA exploits, but, unlike WannaCry, it operated in the background as opposed to openly attacking infected machines and extorting users.

What is Adylkuzz?

Adylkuzz is a form of malware called a trojan that relies on two leaked NSA exploits to infiltrate machines. Once inside, Adylkuzz disables the attack vector that allowed it to infiltrate the machine (server message block v_1.0 protocol) to prevent other infections from interrupting its operation or arousing suspicion that could lead to its discovery.

After infiltration and securing its entrypoint, Adylkuzz begins to unpack plugins and install a cryptocurrency mining software that runs in the background of machine operations as a Windows service. By running in the background, Adylkuzz allows most users to continue operating their computer normally while still bringing in money.

What is the difference between Adylkuzz and WannaCry?

Both forms of malware are considered trojans, both made use of the leaked NSA exploits, and both hijacked large numbers of computers. There are, however, key differences to offset their similarities.

WannaCry was ransomware–it invaded computers and encrypted all of the files on the machine, preventing users from accessing them unless they paid the amount specified by the attacker to acquire the decryption key. Aggressively and destructively seeking profit in this manner brought an estimated total between $27,000 and $33,000 as reported by the New York Times and Gizmodo.

Adylkuzz, however, hijacked machines and ran cryptocurrency mining operations in the shadows to bring passive income to the attackers and help limit the number of infections discovered. According to The Daily Westerner, by limiting malware discovery and turning off SMB_v1.0, Adylkuzz both ensured its own longevity and helped to reduce the potential for WannaCry to spread.

How did the attackers profit?

This strand of malware provided the attackers with tens of thousands of dollars in the cryptocurrency called Monero. After the machines mined the cryptocurrency, they sent it to an anonymous cryptocurrency wallet which stored and sent the currency elsewhere on the Monero network.

The attackers are estimated to have made more than 10 times the amount of the WannaCry attacks combined from Adylkuzz malware mining for Monero, a figure that continues to grow. Because the mastermind was benefitting from the mining ability of enslaved devices, they did not have to pay for the cost of operating the equipment. Their gains were pure profit.

How did the attackers escape discovery?

The attackers used a combination of methods to prevent exposing themselves. They relied on fungibility of the cryptocurrency, launching the attack from remote machines, and using throwaway cryptocurrency wallets to hold and send funds for their operation.

Fungibility is a core concept of most currencies which holds that any given unit of the currency can be readily interchanged with another of the same currency. Fungibility is the concept that both protects the privacy of Monero users and simultaneously enables the Adylkuzz masterminds to get away with their cryptocurrency mining scheme without fear of repercussion.

How can I defend myself?

The best way to defend against malware and ransomware is to ensure that macros are disabled on your machine, your operating system is up to date on the latest software and firmware patches, and that you make use of a regularly updated anti-virus and anti-malware service.

Other important points of defense include checking the sender when opening emails, not opening attachments from untrusted parties, and monitoring a cybersecurity outlet regularly to keep up to date with infections that may be floating around as well as how to avoid them.

Summary

Adylkuzz has been credited with limiting the spread of WannaCry by operating in the background and sealing the entryways through which it would have otherwise invaded.. Despite being much less threatening than its ransomware counterpart, Adylkuzz seems to have been massively more profitable.

Through the use of enslaved machines, Adylkuzz managed to produce five-figure paydays in the Monero cryptocurrency for the puppet masters behind its implementation.