The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and in a few others by our fellow McAfee researchers.
Today we learned that another malware family is using the same exploit to spread itself to vulnerable machines. The malware Adylkuzz is a CoinMiner malware, which means that it employs—without user consent—machine resources to mine coins for virtual currencies. This specific variant was used to mine Monero coins.
This CoinMiner is not a new variant. We have seen samples as old as October 2014, but it has increased in usage since April. Online reports mention that this malware have infected machines after a successful exploitation of the MS17-010 vulnerability followed by the installation of the backdoor malware EternalBlue/DoublePulsar.
Adylkuzz has not changed much in all these years, as we can see by comparing the code among the different waves. For example, the following graphs represent code differences between the October 2014 variant and the first wave starting in April this year:
The number of functions that changed was very small:
- Identical functions: 1,553
- Matched functions: 18
- Unmatched functions: 167
The same can be seen between the April variant and the latest samples received:
- Identical functions: 1,617
- Matched functions: 0
- Unmatched functions: 178
Because the malware has not changed and does not contain any code to exploit the SMB v1 vulnerability, we believe that some actor is leveraging the vulnerability by scanning remote hosts using a tool such as Metasploit and installing the CoinMiner malware via the DoublePulsar backdoor. A porting of the MS17-010 exploit is already available for Metasploit.
As this is old malware, McAfee has long had detection for it. We detect most of the samples as Packed-GV!<partial_md5> and Raiden detection RDN/Generic.grp.
Customers might also want to follow the generic guidelines for blocking, whenever possible, the network ports used by the exploit (TCP/445 and UDP/137) to avoid further infections.
We will update our readers about this malware as we learn more.