Even as the world recovers from the massive WannaCry ransomware cyber attack that took an estimated 200,000 computer systems from 150 countries hostage, cyber security firm Proofpoint warns of another ongoing cyber attack that makes the WannaCry cataclysm look like child’s play in comparison.
According to Kafeine, a security researcher from the firm, Adylkuzz appears to possibly have a larger, more far-reaching effect judging by initial statistics. The attack could affect hundreds of thousands of servers and PCs all over the world before it is concluded.
Incredibly, security researchers say that Adylkuzz could have begun infecting computer systems from as early as April 24. The covertness of the malware, coupled with the global hysteria that followed the WannaCry ransomware cyber attack, contributed to its concealment up until recently.
Despite manipulating the same exploits to take over computer systems, WannaCry and Adylkuzz are infinitely different. While WannaCry demanded a ransom paid in bitcoin to decrypt files in the computers it infected, Adylkuzz operates in the background.
Save for a significant dip in the performances of the computers it infects, the malware is virtually undiscoverable.
The malware’s primary function is to mine digital currency, specifically the privacy-centric Monero which had just begun gaining some ground on its competitors after AlphaBay integrated the cryptocurrency into its payment systems earlier this year.
How Adylkuzz Could Have Slowed the Spread of WannaCry
One of the characteristics of the Adylkuzz malware is that it turns off the SMB networking on the computer systems it infects, effectively shutting out cyber attacks from any other malware. Kafeine believes this could have something to do with the premature end of the WannaCrycyber attack.
Similar toWannaCry, the latest cyber attack utilizes two National Security Agency-developed exploits—EternalBlue and DoublePulsar—that were leaked by a hacking outfit known as The Shadow Brokers. These programs attack computers over corporate LANs and wireless networks.
But unlike the WannaCry ransomware, Adylkuzz’s primary task is to mine digital currency. The apparent resource-heavy malware drastically slows down the performance of the PC it compromises.
The subsequent infection process (after the first contact from the cyber attack) involves using the EternalBlue exploit to pry the entry point open and to leave it ajar. Once inside the system, Adylkuzz then proceeds to use the DoublePulsar exploit to download and run the malware.
Adylkuzz first kills off any similar versions of itself and creates a block over the SMB network to prevent any other cyber attack from interrupting its operations.
During this stage, cyber security experts admit that the malware still hard to detect. Once Adylkuzz is satisfied with the environment it has created, it then proceeds to download mining instructions, a digital currency miner and cleanup tools to mask its tracks during the cyber attack.
Monero CEO at a Loss
Riccardo Spagni, CEO of the digital currency system Monero, was unsure what action to take following the announcement of the ongoing cyber attack. He expressed the company’s displeasure at being associated with the malware, but explained that there was nothing that could be done to stop the authors from maliciously mining as much digital currency as they wanted.
According to him, the system is not capable of distinguishing between a legitimate cryptocurrency miner and an impostor. He likened the abuse of digital currency in general with the misuse of tools such as hammers and vehicles.
Based on that reasoning, he believed that he is in no way to blame for the current cyber attack.
Proofpoint managed to identify three addresses that have so far been used during the cyber attack. The three had been used to generate a total of $43,000 before being shut down by the authors of the malware to cover their tracks.
The Worst is Yet to come
Security researchers believe that much worse is on the way. The WannaCry and Adylkuzz cyber attacks mark the first time the leaked NSA exploits have been used to cause some damage.
The leaked exploits, which seem to have been weaponized specifically to target Microsoft Windows operating systems, could be behind more lethal attacks with far worse consequences in the near future.