Feeling blue?
Feeling blue?

There is no honour among thieves – nor it appears, originality. WannaCry was not the first malware to exploit EternalBlue, the exploit written by the NSA to take advantage of the Microsoft SMB vulnerability.

According to the researchers who discovered it, this previously unknown infection may be bigger than WannaCry and be earning its masters thousands of dollars a day.

EternalBlue is a worm that can spread from device to device on a network via port 445, thanks to the SMB vulnerability. While Microsoft patched it with update MS17-010, many computers have not been updated and remain vulnerable.

This is how WannaCry (or WannaCrypt0r or sometimes Wanna Decryptor) spread so quickly through host networks after hijacking individual computers.

EternalBlue was one of a suite of tools including DoublePulsar which were stolen from the NSA and acquired by the Shadow Brokers. After failing to auction the tools on the black market, the group copied them to Github for anyone to use.

Proofpoint has discovered that another cyber-criminal group is using EternalBlue and DoublePulsar to install a cryptocurrency miner called Adylkuzz.

The attack actually shuts down SMB networking to protect the infected computer from further infections from competing malware trying to use the same attack vector. Ironically, this may have helped to limit the impact of WannaCry, wrote security researcher Kafeine in a Proofpoint blogpost.

Kafeine said “initial statistics suggest that this attack maybe larger in scale than WannaCry”.

Infection by Adylkuzz will cause “loss of access to shared Windows resources and degradation of PC and server performance”.

Robert Holmes, vice president of products at Proofpoint, commented: “While quieter and without a user interface, the Adylkuzz attack is more profitable for cyber-criminals. It makes infected users unwitting participants in providing funding for their attackers.”

It appears that some organisations that thought they were infected with WannaCry may in fact have been hit by Adylkuzz. “It should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive,” Kafeine said.

The attack was detected by exposing a test machine to an EternalBlue attack. While expecting to be infected with WannaCry, the researchers instead found it was colonised within 20 minutes by Adylkuzz.

The attackers are running massive scanning operations from virtual private servers. When they find a target machine, they infect it with DoublePulsar which then downloads and runs Adylkuzz. “Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and downloads the mining instructions, cryptominer, and cleanup tools,” the researcher wrote.

The objective is to mine the Monero cryptocurrency, favoured by members of the AlphaBay darknet market.

While it's difficult to say just how much the attackers are earning, because they regularly switch Monero addresses, Proofpoint found evidence of several Monero addresses each racking up thousands of dollars a day.

“While an individual laptop may generate only a few dollars per week, collectively the network of compromised computers appears to be generating five-figure payouts daily. Unlike ransomware, no demands for money are made of victims. The malware is deliberately stealthy; users will only notice their Windows machine is running slowly and that they don't have access to shared Windows resources,” Holmes said.

Read more on the Proofpoint blog.