The WannaCry ransomware may have wreaked havoc over the weekend across the globe but another hacking tool stockpiled by the National Security Agency may have been causing trouble much earlier than its better publicised peer.
According to cybersecurity vendor Proofpoint, a cryptocurrency miner, dubbed Adylkuzz, has been making the most of the weakness in Microsoft’s Windows operating system while flying under the radar.
Instead of encrypting data, Adylkuzz is a malware that steals the computing power of machines to mine valuable cryptocurrencies, in this case Monero.
While not as well-known as Bitcoin, Monero is nevertheless a valuable commodity on the so-called ‘dark net’. It’s similar to Bitcoin but provides greater anonymity to users and, according to Proofpoint, recently saw a surge in activity after its adoption by the AlphaBay darknet market as its cryptocurrency of choice.
Like other cryptocurrencies, Monero increases market capitalisation through the process of mining. Each Monero is worth around $US27, compared with just 50 cents at the beginning of 2016 and the collective value of all Monero is now in excess of $170 million.
Malware like Adylkuzz infect as many machines as possible and harness them to secretly mine cryptocurrencies. In this case the malware not only used the “Eternal Blue’ exploit that was also used to spread the WannaCry ransomware but also infected machines with the DoublePulsar backdoor. DoublePulsar, which is another tool used by the NSA, downloads and runs the Adylkuzz malware on from a machine once the system is breached.
Proofpoint researcher Kafeine said that the currency miner was found when his team was researching the WannaCry campaign.
“We exposed a lab machine vulnerable to the EternalBlue attack. While we expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the cryptocurrency miner Adylkuzz,” he said
“We repeated the operation several times with the same result: within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.”
According to Kafeine, the attack started no later than May 2 and may have been targeting machines as early as April 24.
Symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance.
“Several large organisations reported network issues this morning that were originally attributed to the WannaCry campaign, however, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity,” Proofpoint said.
“This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive,” it added.
Reader comments on this site are moderated before publication to promote lively and civil debate. We encourage your comments but submitting one does not guarantee publication. We publish hundreds of comments daily, and if a comment is rejected it is likely because it does not meet with our comment guidelines, which you can read here. No correspondence will be entered into if a comment is declined.