On Friday, ransomware called WannaCry used leaked hacking tools
stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency. Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid-April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry.
Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. In a blog post published Monday afternoon, Kafeine wrote:
In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.
Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download[s] the mining instructions, cryptominer, and cleanup tools.It appears that at any given time there are multiple Adylkuzz command and control (C&C) servers hosting the cryptominer binaries and mining instructions.
Symptoms of the attack include a loss of access to networked resources and system sluggishness. Kafeine said that some people who thought their systems were infected in the WannaCry outbreak were in fact hit by the Adylkuzz attack. The researcher went on to say this overlooked attack may have limited the spread of WannaCry by shutting down SMB networking to prevent the compromised machines from falling into the hands of competing botnets. Proofpoint researchers have identified more than 20 hosts set up to scan the Internet and infect vulnerable machines they find. The researchers are aware of more than a dozen active Adylkuzz control servers. The botnet then mined Monero, a cryptocurrency that bills itself as being fully anonymous, as opposed to Bitcoin, in which all transactions are traceable.
Monday's report came the same day that a security researcher who works for Google found digital fingerprints tying a version of WCry from February to Lazarus Group, a hacking operation with links to North Korea. In a report published last month, Kaspersky Lab researchers said Bluenoroff, a Lazarus Group offshoot responsible for financial profit, installed cryptocurrency-mining software on computers it hacked to generate Monero coins. "The software so intensely consumed system resources that the system became unresponsive and froze," Kaspersky Lab researchers wrote.
Assembling a botnet the size of the one that managed WannaCry and keeping it under wraps for two to three weeks is a major coup. Monday's revelation raises the possibility that other botnets have been built on the shoulders of the NSA but have yet to be identified.