A new malware campaign exploits the same ‘EternalBlue’ SMB vulnerability revealed in a dump of hacking tools linked to the US National Security Agency and employed by the high-profile WannaCry/WannaCrypt ransomware.
Unlike WannaCrypt, however, the new campaign involves installing cryptocurrency mining software on infected systems instead of encrypting a user’s files, according to security company Proofpoint.
“While quieter and without a user interface, the Adylkuzz attack is more profitable for cybercriminals,” Proofpoint SVP cybersecurity strategy Ryan Kalember said in a statement. “It makes infected users unwitting participants in providing funding for their attackers.”
Monero has recently been adopted by the AlphaBay darknet market, Kalember said.
“Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection,” a Proofpoint briefing document on Adylkuzz states.
The company said that campaign was already in progress on 2 May but may have started as early as 24 April — little more than a week after the Shadow Brokers dump of NSA-linked hacking tools. The attackers have set up servers scanning the Internet for vulnerable computers.
“Once infected through use of the EternalBlue exploit, the cryptocurrency miner Adylkuzz is installed and used to generate cybercash for the attackers,” Kalember said.
“While an individual laptop may generate only a few dollars per week, collectively the network of compromised computers appears to be generating five-figure payouts daily. Unlike ransomware, no demands for money are made of victims. The malware is deliberately stealthy; users will only notice their Windows machine is running slowly and that they don't have access to shared Windows resources.”
The federal government said yesterday that the number of confirmed Australian victims of WannaCrypt has grown. At least a dozen local small businesses have been hit by the ransomware attack.
“Small business owners should be pro-active about their cyber security in the wake of this ransomware campaign affecting computers around the world,” the minister assisting the prime minister for cyber security, Dan Tehan, said yesterday.
“If your business has been infected you should isolate the affected computer from your network to prevent the software spreading and use backup data to restore information.”