Last week’s WannaCry ransomware could be dwarfed by a new malware that effectively enslaves Windows machines into botnets to mine for Monero.
After last Friday’s unprecedented global cyberattack led by the WannaCry ransomware, a new type of malware – a rogue cryptocurrency miner called Adylkuzz – has been affecting hundreds and thousands of PCs worldwide, according to researchers at cybersecurity firm Proofpoint.
“[W]ithin 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet,” researchers revealed.
The Adylkuzz malware campaign also exploits the same Windows vulnerability (MS17-010) abused by WannaCry. The malware spreads through EternalBlue, the NSA exploit exposed by the Shadow Brokers’ dump of NSA hacking tools.
It snuck under the radar, however, since it does not encrypt and lockdown files to demand bitcoin ransoms. Instead, the stealthy malware brings monetary gains to attackers by discreetly mining Monero, a cryptocurrency with enhanced privacy features compared to bitcoin.
Most victims are unlikely to even know that their Windows computers are compromised. The only symptoms of an infection are sluggish PC and server performance and the loss of access to shared Windows drives.
Initial statistics suggest that this attack may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.
The cryptocurrency miner predates the WannaCry cyberattack, ‘beginning at least on May 2 and possibly as early as April 24’. Researchers revealed evidence of the clandestine Monero mining operation, with one of several Monero addresses revealing a payout of just over $22,000 in the cryptocurrency before shutting down.
Ryan Kalember, Proofpoint’s senior VP of cybersecurity strategy stated:
While an individual laptop may generate only a few dollars per week, collectively the network of compromised computers appears to be generating five-figure payouts daily
Another payment address shows over $7,000 while a third address with a higher has rate had a ‘current’ payment total of over $14,000.
“We don’t know how big it is” Proofpoint’s vice president for email products Robert Holmes told AFP. However, what he does know is that “it’s much bigger than WannaCry.”
“We have seen that before – malwares mining cryptocurrency – but not this scale” Holmes added.
Outdated Windows computers remain vulnerable to the rogue Monero-miner attack, as they are with the WannaCry ransomware. Security researchers recommend updating Windows machines to Microsoft’s latest patches.
Screengrabs from Proofpoint.
Featured image from Shutterstock.
Last modified: May 21, 2020 9:49 AM UTC