The malware spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We previously reported on this malware in our blog, and for some reason, you’re unfamiliar with it, read about it now before continuing here.
Today another malware has surfaced that is using the same exploit to spread itself to vulnerable machines. The malware Adylkuzz is a CoinMiner malware, which means that it employs—without user consent—machine resources to mine coins for virtual currencies. This specific variant was used to mine Monero coins.
This CoinMiner is not a new variant. According to McAfee, there have been samples as old as October 2014, but it has increased in usage since April. Online reports mention that this malware have infected machines after a successful exploitation of the MS17-010 vulnerability followed by the installation of the backdoor malware EternalBlue/DoublePulsar.
Adylkuzz has not changed much in all these years, as we can see by comparing the code among the different waves. For example, the following graphs represent code differences between the October 2014 variant and the first wave starting in April this year:
The number of functions that changed was very small:
The same can be seen between the April variant and the latest samples received:
Because the malware has not changed and does not contain any code to exploit the SMB v1 vulnerability, we believe that some actor is leveraging the vulnerability by scanning remote hosts using a tool such as Metasploit and installing the CoinMiner malware via the DoublePulsar backdoor. A porting of the MS17-010 exploit is already available for Metasploit.
This new malware campaign detected by Proofpoint could prove more widespread than Wanna Cry. Hundreds of thousands of PCs and servers worldwide according to Proofpoint because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) using that same vulnerability and end users will only notice their Windows machine is running slowly and that they don’t have access to shared Windows resources.