A huge cryptocurrency-mining botnet is using the NSA exploit found in the WannaCry malware, but it may have inadvertently stopped some of the ransomware's infections.
Stealthy cryptocurrency-mining malware using the same Windows exploit as the WannaCry ransomware began hitting machines weeks before Friday's outbreak but may have accidentally prevented some WannaCry infections.
Unlike Friday's noisy WannaCrypt attack that has affected 200,000 machines, the mining malware, dubbed Adylkuzz, has probably gone unnoticed until now because it aims to quietly free-ride its host's processing power to mine the Bitcoin-like open-source cryptocurrency, Monero.
As noted by Proofpoint security researcher Kafeine, the ongoing Adylkuzz campaign kicked off as early as April 24 using the same EternalBlue exploit created by the NSA, which targets a flaw in Microsoft's Server Message Block (SMB) networking protocol.
According to Kafeine, initial statistics suggest that this attack may be larger in scale than WannaCry.
As Microsoft explains, WannaCry spreads via two mechanisms. The worm-like behavior infects other unpatched machines on the same network. However, the malware also massively scans the internet for other vulnerable machines.
Kafeine told ZDNet that Adylkuzz isn't a worm, but does spread by scanning for vulnerable Windows machines exposed to the internet.
The researcher discovered the Adylkuzz botnet while probing WannaCrypt on the weekend with an intentionally exposed computer.
He expected the machine to be infected by WannaCry but "within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet".
Interestingly, machines infected with Adylkuzz may have been protected from WannaCry. Kafeine told ZDNet that the operators of Adylkuzz were essentially "closing the door behind them" to prevent subsequent infections by shutting down SMB communications.
"Once Adylkuzz has been launched on a machine, if Adylkuzz succeeds in closing SMB communication, which it did in all my runs, the machine can't be infected by WannaCry through SMB through its 'worm' capabilities until the owner undoes what Adylkuzz did," Kafeine explained.
Though less destructive than WannaCry, the Adylkuzz botnet may be just as lucrative for its operators.
Kafeine details three Monero addresses linked to the Adylkuzz attack, which to date have generated $22,000, $7,000, and $14,000. The addresses were banned today by the unnamed crypto pool that Adylkuzz is reporting to and receiving money from. The crypto pool lost 150,000 connections to miners after the addresses were booted off, said Kafeine.
As Kafeine explains in a blogpost, the Adylkuzz attack is launched from several virtual private servers that scan the internet on TCP port 445 for potential targets.
"Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host," Kafeine said.
"Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and downloads the mining instructions, cryptominer, and cleanup tools."