Adylkuzz is a cryptocurrency-mining botnet discovered by security firm Proofpoint in May 2017 as the company's analysts were attempting to conduct research on the WannaCry ransomware campaign. The analysts deliberately exposed a vulnerable system to the EternalBlue exploit in an attempt to infect it with a sample of the WannaCry ransomware variant. However, within 20 minutes of the exposure, the vulnerable system became infected with Adylkuzz. They determined that the botnet attack was launched from several virtual private servers tasked with scanning the internet for vulnerable systems that had TCP port 445 exposed.
Once a vulnerable system was successfully exploited with EternalBlue, it is then infected with DoublePulsar, a kernel DLL injection technique that creates a backdoor. DoublePulsar then downloads Adylkuzz from an external host and runs it. Once launched, Adylkuzz will first terminate any instances of itself that are already running on the system and block SMB traffic preventing new infections, including those resulting from WannaCry. It then collects the public IP address of the victim and downloads the cryptocurrency mining software, mining instructions, and cleanup tools. Analysts determined that this attack was designed to mine Monero, a cryptocurrency that's touted as a more secure and anonymous alternative to Bitcoin.
The NJCCIC recommends scanning all systems and reviewing network traffic logs for the indicators of compromise (IoCs) provided in the Proofpoint report. If an Adylkuzz infection is discovered, please report the incident to the NJCCIC using our online submission form and to the FBI Internet Crime Complaint Center (IC3) here.
Reporting and Technical Details:
- Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks via EternalBlue/DoublePulsar (Proofpoint)