The ransomware attack that stormed the world over the past several days wasn’t the first to leverage the leaked EternalBlue/DoublePulsar NSA hacking tools for distribution, Proofpoint researchers have discovered.WannaCry might have gained everyone’s attention because of its destructive potential, but credit to being the first to use the EternalBlue exploit abusing a Server Message Block (SMB) vulnerability on TCP port 445 should go to the cryptocurrency miner Adylkuzz, Proofpoint says.Similar to WannaCry, the attack leverages the EternalBlue exploit to rapidly propagate from machine to machine, along with the NSA backdoor called DoublePulsar which is used to install a malicious payload on compromised machines.Symptoms of infection, however, aren’t as visible as with WannaCry: loss of access to shared Windows resources and degradation of PC and server performance.What’s more, the malicious code also shuts down SMB networking to prevent infections with other malware.According to ProofPoint security researcher Kafeine, this attack might have been much larger than the ransomware outbreak.

Furthermore, Kafeine suggests that, because Adylkuzz specifically patched the vulnerability targeted by WannaCry, it might have limited the latter’s infection.What is certain, however, is that “the Adylkuzz campaign significantly predates the WannaCry attack, beginning at least on May 2 and possibly as early as April 24.” Kafeine also notes that the infection is ongoing and is potentially quite disruptive, although not as flashy as the ransomware rampage.The Adylkuzz attack is launched from several virtual private servers.EternalBlue is abused for compromise, then the DoublePulsar backdoor is installed to download and run Adylkuzz from another host.Once up and running, the cryptocurrency miner first stops any potential instances of itself and blocks SMB communication to avoid further infection.Next, the malware determines the public IP address of the victim and then downloads the mining instructions, the cryptominer, and cleanup tools.As it turns out, the cryptominer binaries and mining instructions are hosted on multiple command and control (C&C) servers at the same time.

As part of this attack, Adylkuzz is mining for Monero, a cryptocurrency that saw a surge in activity after the AlphaBay darknet market adopted it last year: BondNet, a Monero-mining botnet that has been active since December 2016, was detailed recently, the Sundown exploit kit was previously dropping a Monero miner, and a Go-based miner was seen last year targeting Linux systems.bitcoin companies in torontoUnlike Bitcoin, which now generally requires dedicated, high-performance machines, the Monero mining process can be easily distributed across a botnet, Kafeine explains.nvidia and bitcoin miningMining payments associated with an Adylkuzz address suggests the attacks started on April 24.bitcoin miner software windows 8

On May 11, the actor supposedly switched to a new mining user address, to avoid having too many Moneros paid to a single address.Three observed addresses received around $43,000 in payments, the researcher says.“We have currently identified over 20 hosts set up to scan and attack, and are aware of more than a dozen active Adylkuzz C&C servers.litecoin block chartWe also expect that there are many more Monero mining payment addresses and Adylkuzz C&C servers associated with this activity,” Kafeine notes.ethereum decentralized exchangeThe SMB vulnerability that both WannaCry and Adylkuzz abuse has been addressed by Microsoft in March 2017, and also resolved on unsupported platforms via an emergency patch released over the weekend.bitcoin uk treasuryInstalling these patches should prevent the malware from spreading further.bitcoin etude

In the meantime, security researchers apparently linked the WannaCry attacks to the North Korea-linked hacking group Lazarus and suggest that more attacks might follow.Although the attacks have slowed down significantly as of Monday, even industrial systems might be at risk, experts warn.recibir bitcoin gratisIn the light of these attacks, installing the latest Windows patches might have never been a better course of action.litecoin wallet weeks behind“For organizations running legacy versions of Windows or who have not implemented the SMB patch that Microsoft released last month, PCs and servers will remain vulnerable to this type of attack.Whether they involve ransomware, cryptocurrency miners, or any other type of malware, these attacks are potentially quite disruptive and costly.Two major campaigns have now employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and individuals patch their machines as soon as possible,” Kafeine says.

Malware writers have devised lots of social engineering tactics to lure users into their scheme.This time around, we saw a Trojan passing itself off as a Trend Micro component as a way to trick users into downloading and executing it.We recently encountered a file and noticed the following properties (see below).For the untrained eye, this file can be mistaken as a Trend Micro product/component.But during our analysis, we verified this file as a Trojan in disguise.We believe that by spoofing Trend Micro properties, the people behind this threat are hoping to trick unwitting users into executing the file.This malware is already detected by Trend Micro as TROJ_RIMECUD.AJL.When user executes TROJ_RIMECUD.AJL, it creates the process svchost.exe where it injects its malicious code.Once done, the malware downloads a component package (refer to Figure 2).This downloaded package contains a bitcoin miner application created by Ufasoft.We detect this bitcoin app as HKTL_BITCOINMINE.Bitcoin is considered digital currency and can be used to pay certain transactions online.

This attack is timely because of the news that Bitcoin Central has been approved by the law to function as a bank where exchange from Euro and Bitcoins are now possible.For the past years, there have been cases wherein systems are infected with Bitcoin-mining malware and turning them into unwilling “miners”.In turn, these (systems) churn Bitcoins for the benefit of the bad guys while the affected users are left in the dark.Besides generating profit for its authors, this malware consumes too much of the system’s resources.In sudden slowdown of the system always check your running processes and search for unknown running application.This occurrence maybe caused by a possible infection of Bitcoin mining activity.To avoid becoming victim to this scheme, users must be extra-cautious when downloading applications, files found on the internet.Better yet, refrain from visiting unknown websites and clicking ads or shortened URLs contained in email messages from unverified sources.To know more about the threat that certain bitcoin mining apps pose, check out our previous blog posts below: The Trend Micro Smart Protection Network™ detects and deletes TROJ_RIMECUD.AJL and HKTL_BITCOINMINE, if found on user’s system.