Look anywhere in the news today and it’s hard to miss coverage about WannaCry, the SMB exploit-loving ransomware that wormed its way into all our hearts. This piece of malware certainly proved a few points about the current state of cyber security – namely that patch management, network segmentation, asset management and perimeter defense are all areas that need to be taken more seriously.
In addition, however, while attempting to capture new samples of WannaCry in the wild over the weekend, a surprising discovery was made by security researchers: a similar piece of malware was already on the loose and had been performing its nefarious duties in a much less intrusive manner. More surprisingly, it had been active since mid-April, weeks before the more recent WannaCry outbreak. This malware was part of a more traditional botnet intended to use its victims to mine cryptocurrency, and it may have unintentionally taken the edge off of what WannaCry otherwise could have done.
This malware is the Adylkuzz cryptocurrency mining botnet and it spread through the same one-two punch of EternalBlue/DoublePulsar that WannaCry utilized. Instead of encrypting a victim’s files and holding them for ransom this malware simply eats resources on a machine to mine Monero cryptocurrency. The mining software uses spare processor cycles and memory to perform difficult computations. In addition to starting this mining process, the DoublePulsar payload delivered by the botnet also adds a firewall rule to block port 445 access, the SMB port that was used to infect the victim with this Adylkuzz botnet.
Since both the mining process and addition of a single firewall rule are relatively benign actions to a victim, the only real symptoms of infection would be a slightly sluggish workstation or server and potential loss of file shares. This minimal impact is probably what allowed the botnet to operate for weeks without detection. Additionally, its actions probably prevented the WannaCry epidemic from being as bad as it could have been since the victims of Adylkuzz could not be infected because the required port was no longer open.
More than 20 active exploitation hosts and more than a dozen C2 servers have been identified since discovery over the weekend, though there are probably additional exploitation/C2 servers remaining to be found.
As the dust begins to settle from this outbreak of infections a few questions remain:
- What other malware has been utilizing these leaked exploits that may have gone unnoticed?
- How will others change them to increase their usefulness?
- What will organizations change to ensure that the next major release of exploits doesn’t result in a similar outcome?
Threat Research
Thanks to the analysis of Adylkuzz provided by Kaffeine and others we can provide information about the following IOCs:
Selection of Domain/IP Address | Date | Comment |
45.32.52[.]8 | 2017-05-16 | Attacking host |
45.76.123[.]172 | 2017-05-16 | Attacking host |
104.238.185[.]251 | 2017-05-16 | Attacking host |
45.77.57[.]194 | 2017-05-14 | Attacking host |
45.76.39[.]29 | 2017-05-15 | Attacking host |
45.77.57[.]36 | 2017-05-15 | Attacking host |
104.238.150[.]145 | 2017-05-14 | Server hosting the payload binary |
08.super5566[.]com | 2017-05-14 | Adylkuzz C&C |
a1.super5566[.]com | 2017-05-02 | Adylkuzz C&C |
aa1.super5566[.]com | 2017-05-01 | Adylkuzz C&C |
lll.super1024[.]com | 2017-04-24 | Adylkuzz C&C |
07.super5566[.]com | 2017-04-30 | Adylkuzz C&C |
am.super1024[.]com | 2017-04-25 | Adylkuzz C&C |
05.microsoftcloudserver[.]com | 2017-05-12 | Adylkuzz C&C |
d.disgogoweb[.]com | 2017-04-30 | Adylkuzz C&C |
panel.minecoins18[.]com | 2014-10-17 | Adylkuzz C&C in 2014 |
wa.ssr[.]la | 2017-04-28 | Adylkuzz C&C |
45.77.57[.]190 | 2017-05-15 | Host presenting same signature as attackers |
45.77.58[.]10 | 2017-05-15 | Host presenting same signature as attackers |
45.77.58[.]40 | 2017-05-15 | Host presenting same signature as attackers |
45.77.58[.]70 | 2017-05-15 | Host presenting same signature as attackers |
45.77.56[.]87 | 2017-05-15 | Host presenting same signature as attackers |
45.77.21[.]159 | 2017-05-15 | Attacking Host |
45.77.29[.]51 | 2017-05-15 | Host presenting same signature as attackers |
45.77.31[.]219 | 2017-05-15 | Host presenting same signature as attackers |
45.77.5[.]176 | 2017-05-15 | Host presenting same signature as attackers |
45.77.23[.]225 | 2017-05-15 | Host presenting same signature as attackers |
45.77.58[.]147 | 2017-05-15 | Host presenting same signature as attackers |
45.77.56[.]114 | 2017-05-15 | Host presenting same signature as attackers |
45.77.3[.]179 | 2017-05-15 | Host presenting same signature as attackers |
45.77.58[.]134 | 2017-05-15 | Host presenting same signature as attackers |
45.77.59[.]27 | 2017-05-15 | Host presenting same signature as attackers |
Select Dropped Samples
SHA-256 | Date | Comment |
8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233 | 2017-05-14 | Adylkuzz.B spread via EB/DP |
450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f | 2017-04-24 | Adylkuzz.A (we are not sure that instance was spread via EB/DP) |
a7000b2618512f1cb24b51f4ae2f34d332b746183dfad6483aba04571ba8b2f9 | 2017-05-14 | s2bk.1_.exe |
e96681456d793368a6fccfa1321c10c593f3527d7cadb1ff462aa0359af61dee | 2017-05-14 | 445.bat (? seems to cleanup old variant of the coin miner and stop windows Update) |
e6680bf0d3b32583047e9304d1703c87878c7c82910fbe05efc8519d2ca2df71 | 2017-05-14 | Msiexev.exe Bitcoin miner process |
55622d4a582ceed0d54b12eb40222bca9650cc67b39f74c5f4b78320a036af88 | 2017-05-02 | Bitcoin miner process |
6f74f7c01503913553b0a6118b0ea198c5a419be86fca4aaae275663806f68f3 | 2017-05-15 | Adylkuzz.B spread via EB/DP |
Executed commands:
taskkill /f /im hdmanager.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
taskkill /f /im mmc.exe
sc stop WELM
sc delete WELM
netsh ipsec static add policy name=netbc
netsh ipsec static add filterlist name=block
netsh ipsec static add filteraction name=block action=block
netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445
protocol=tcp description=445
netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
netsh ipsec static set policy name=netbc assign=y
C:\Windows\Fonts\wuauser.exe –server
C:\Windows\Fonts\msiexev.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u
49v1V2suGMS8JyPEU5FTtJRTHQ9YmraW7Mf2btVCTxZuEB8EjjqQz3i8vECu7XCgvUfiW6
NtSRewnHF5MNA3LbQTBQV3v9i -p x -t 1
C:\Windows\TEMP\\s2bk.1_.exe /stab C:\Windows\TEMP\\s2bk.2_.log
taskkill /f /im msiexev.exe
netsh advfirewall firewall delete rule name=”Chrome”
netsh advfirewall firewall delete rule name=”Windriver”
netsh advfirewall firewall add rule name=”Chrome” dir=in program=”C:\Program
Files\Google\Chrome\Application\chrome.txt” action=allow
netsh advfirewall firewall add rule name=”Windriver” dir=in program=”C:\Program
Files\Hardware Driver Management\windriver.exe” action=allow
C:\Windows\445.bat
C:\Windows\system32\PING.EXE ping 127.0.0.1
net stop Windows32_Update
attrib +s +a +r +h wuauser.exe
C:\Windows\system32\SecEdit.exe secedit /configure /db C:\Windows\netbios.sdb
C:\Windows\system32\net1 stop Windows32_Update
Source:
https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-
for-weeks-via-eternalblue-doublepulsar