Anti-Malware , Endpoint Security , Ransomware

Before WannaCry, Cryptocurrency Miners Exploited SMB Flaw

Massive Cryptocurrency Malware Campaign Blocked SMB Flaw, Blunting WannaCry
Before WannaCry, Cryptocurrency Miners Exploited SMB Flaw
Since April, a Adylkuzz botnet campaign has targeted the Windows SMB flaw to infect endpoints with malware that mines for monero cryptocurrency, pictured.

Weeks before the WannaCry outbreak, other attackers unleashed malware that also targeted the server messaging block flaw in Windows. But this attack campaign, instead of installing ransomware - like WannaCry's operators - instead exploited the SMB flaw to install cryptocurrency mining malware named Adylkuzz.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

As a side effect, the malware also blocked any other attack code from exploiting the SMB flaw to gain a presence on the endpoint, which may have blunted the impact of Friday's WannaCry outbreak.

So says "Kafeine," a malware researcher with security firm Proofpoint, who reports that researchers have identified at least 20 hosts being used to scan for potentially vulnerable systems via TCP port 445 and launch related attacks, and 12 command-and-control servers for controlling infected endpoints. But the security firm says the actual attack infrastructure is likely much larger.

Proofpoint first discovered the Adylkuzz campaign after leaving a virtual machine, running a version of Windows vulnerable to the SMB flaw, connected to the internet. Just 20 minutes later, it reports, the endpoint had been infected with Adylkuzz. Several repeat experiments, it says, produced the same results.

It's not clear how many endpoints have been infected by the Adylkuzz mining botnet, which attackers are using to mine for cryptocurrency called monero. Mining refers to the practice of generating new cryptocurrency, which requires solving computationally intensive operations, after which miners have a chance of being rewarded with the new currency that has been generated. Doing mining profitably and legitimately typically requires investing in high-end, dedicated mining rigs.

Criminals, of course, are always looking for ways to make a fast buck, and that's given rise to mining malware such as Adylkuzz, which presses infected endpoints into the service of a cryptocurrency mining botnet. Instead of using dedicated hardware, related operations get distributed to what may be thousands of infected endpoints' processors.

Analysis of an Adylkuzz infection - in a virtual machine - shows it closing the SMB door as well as launching Monero mining. (Source: Proofpoint)

The discovery of the cryptocurrency mining botnet shows that organizations that fail to patch their systems aren't just at risk from flashy attacks, such as WannaCry, but also stealthier attacks that don't always announce their presence.

Target: EternalBlue

The SMB flaw targeted by this Adylkuzz campaign existed in all versions of Windows since XP and came to light in April, via a dump of "Equation Group" tools released by the Shadow Brokers.

Microsoft quietly patched the SMB flaw in all supported operating systems in March. After the WannaCry outbreak began Friday, however, Microsoft that night released free, emergency patches for Windows XP, Windows Server 2003 and Windows 8 users. Prior to that, the patches had only been available for customers who paid for pricey extended-support contracts for the operating systems, for which Microsoft has ceased providing mainstream support.

Many security experts believe the Equation Group is the National Security Agency, and that the Shadow Brokers may be part of a psychological operations campaign run by Russian intelligence.

One of the Equation Group exploits included in the April dump, called EternalBlue, is designed to exploit the SMB flaw in Windows. If successful, the Equation Group would then often install a backdoor called DoublePulsar onto the exploited endpoint to give it persistent, quiet access to the system.

The WannaCry attacks used a worm that looked for the presence of DoublePulsar on an endpoint, and then used it to install WannaCry ransomware. If that backdoor was not present, then the worm attempted to exploit EternalBlue - the SMB flaw - to access the system and install ransomware. Once the ransomware infected a system, it could then spread to other endpoints on the same network.

Adylkuzz Campaign Continues

The WannaCry outbreak began May 12. But Proofpoint says that the Adylkuzz campaign that targeted DoublePulsar and EternalBlue appears to have begun as early as April 24 - nearly three weeks earlier - and hasn't stopped.

"This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive," Kafeine says in a Monday blog post.

"Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance," Kafeine adds. In addition, Proofpoint reports that multiple outbreaks that were attributed to the WannaCry campaign, but which involved no ransom notice, may, in fact, have instead been part of the Adylkuzz campaign.

As with WannaCry, the Adylkuzz malware first attempts to exploit a system via EternalBlue, and if successful then infects the endpoint with DoublePulsar, Kafeine says. "Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection, Kafeine says. "It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools."

Cryptomining for Monero

This Adylkuzz campaign is mining not for the world's most well-known cryptocurrency, but rather for monero.

One of several monero addresses associated with income from Adylkuzz mining tied to this campaign. (Source: Proofpoint)

Also known as XMR, the creators of the cryptocurrency claim that it's more private and difficult to trace than bitcoin.

Daily payment activity tied to a single Adylkuzz mining address tied to the attack campaign. (Source: Proofpoint)

Crytptocurrency options abound. But monero got a boost last year, when the operators of the darknet marketplace Alphabay announced on Reddit that as of Sept. 1, 2016, they would begin allowing monero deposits and withdrawals.

"Following the demand from the community, and considering the security features of monero, we decided to add it to our marketplace," they wrote.

Some ransomware attackers have begun to demand monero for ransom payments, rather than bitcoins. One example is the trekker-themed Kirk ransomware discovered in March (see Star Trek Ransomware Boldly Encrypts).

Currently, it's more processor-efficient to mine for monero than bitcoin, based on the processing power required. On the Coinwarez list of cryptocurrency profitability, for example, Monero ranks 20th in profitability, while bitcoin is ranked 41st. That reflects in part how new bitcoin blocks have become quite computationally intensive to solve, demanding a much greater amount of processing power - and thus electricity, which takes a bite out of potential profits - than other types of mining.

Attacker Identity: Unclear

So far it's not clear who's behind this cryptocurrency mining operation. A version of WannaCry seen in February contains code that was used in a 2015 attack tied to Lazarus - a hacking group security experts say ties to North Korea. But anyone could have reused the 2015 code, which is publicly available, Matt Suiche, managing director at incident response firm Comae Technologies, tells Cyberscoop. "Attribution can always be faked, as it's only a matter of moving bytes around," he says.

On the other hand, security firm Kaspersky Lab in April reported that it had discovered a North Korean IP address in a log of a command-and-control server used by Lazarus. Kaspersky Lab said the server was running cryptocurrency software designed to mine monero. This Adylkuzz campaign, of course, is also designed to mine for monero, and that is "more than coincidence," Ryan Kalember, senior vice president of cybersecurity strategy for Proofpoint, tells Reuters. "It's a really strong overlap," he says. "It's not like you see Monero miners all over the world."

Takeaway: Patch or Perish

The choice of monero for this Adylkuzz cryptocurrency mining botnet's operations aside, the campaign is a reminder that organizations running applications and operating systems that don't have the latest software updates or security fixes remain at risk from enterprising attackers.

"Whether they involve ransomware, cryptocurrency miners, or any other type of malware, these attacks are potentially quite disruptive and costly," Kafeine says. "Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and individuals patch their machines as soon as possible."

****
May 17: This story has been updated to reflect the potential connection between the Adylkuzz campaign, the WannaCry outbreak and North Korea's Lazarus hacking team.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network