It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The attack is launched from several virtual private servers which are massively scanning the Internet on TCP port 445 for potential targets. We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.Įnlarge / Figure 1: EternalBlue/DoublePulsar attack from one of several identified hosts, then Adylkuzz being downloaded from another host - A hash of a pcap of this capture is available in the IOCs table. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz.
In the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. In a blog post published Monday afternoon, Kafeine wrote:
He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers. On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency. On Friday, ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries.
0 kommentar(er)
