Monero logo.png

In May 2017, the WannaCry Ransomware Attack was all over the news being, what some will say, is the biggest cyberattack to date.

Shortly after this incident, Adylkuzz was discovered, using the same vulnerability and exploit as WannaCry – specifically, the ETERNALBLUE SMB exploit. This allowed Adylkuzz to remotely access vulnerable computers and load the DOUBLEPULSAR backdoor. In turn, this was used to install the Trojan payload. The payload itself uses the victim's computer as a node in a cryptocurrency-mining botnet, specifically mining Monero.

Targets for infection are discovered via large scale scanning of the Internet, targeted at TCP port 445 (SMB). On discovery of a system with a vulnerable port, Adylkuzz uses ETERNALBLUE to access the system, and backdoors it using DOUBLEPULSAR. Once in place, the port is blocked – preventing rival malware from interrupting its process, while also disrupting communications with legitimate SMB services – mining software is then loaded into the computer, and launched in the background.

The effects of the infection will be most apparent to the user when the miner begins trying to find cryptocurrency signatures. At this point, the user will likely notice a general slowdown in computer performance, as well as spikes in CPU temperature (potentially leading to permanent CPU damage). This is due to all CPU resources being rededicated to mining for coin, and can be detected by listening for fan cooling fan spin-up. Earlier symptoms will include loss of connection to SMB based services (Windows file and printer shares with non-Windows devices).

Enabling the TSCritical targets in your user policy will add protection against Adylkuzz to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub, or contact our Support team.