Adylkuzz is a CoinMiner malware, which means that it employs – without user consent – machine resources to mine coins for virtual currencies. It appears to exploit the same vulnerabilities as the WannaCry ransomware did but in a more stealthier fashion.
On paper WannaCry was the more damaging in the sense that it threatened the victim with data loss and extortioned money from its victims. Adylkuzz on the other hand is a lot less in your face and operates in the background, using the victims machine to mine crypto keys to turn it into something with monetary value. What that means is the malware consumes resources on the machine, such as using CPU cycles.
So whoever is behind the attack creates an army of machines, with each one running a program in the background of the machine which link up with other machines infected and altogether create small amounts of cryptocurrency. These programs mostly go unnoticed by the computer’s owner. The bigger problem here is that mini crypto currency is one thing, once a victims computer has been infiltrated it could lead to something far worse.
There’s nothing official about who is behind WannaCry or Adylkuzz, but there is speculation that WannaCry was related to North Korea due to the software behavioural characteristics sharing similarities to the Sony attack in 2014 — which was attributed to DPRK. Since Adylkuzz is a newly discovered ransomware and isn’t as immediately destructive as WannaCry was, there is very little to go by surrounding its origins. But the public must stay alert and carry on keeping a close eye on emails and in this instance with CPU usage.
The importance of downloading update patches cannot be at its highest. The truth is, WannaCry and Adylkuzz were fixed/patched two months ago. The main reason why WannaCry came to life on May 12, 2017 was that not every machine on the planet were up to date with their patches. Microsoft addressed the WannaCry malware back in March 2017, but organisations around the world – small businesses to large corporations – still hadn’t updated their Windows and that’s where it all went haywire.
Here’s the techy details of Adylkuzz:
Once executed, the Trojan creates the following files: %ProgramFiles%\Hardware Driver Management\windriver.exe %Windir%\Fonts\wuauser.exe The Trojan connects to one of the following remote locations to report installation: [http://]panel.minecoins18.com/install/st[REMOVED] [http://]08.super5566.com/install/st[REMOVED] [http://]am.super1024.com/report/st[REMOVED] Next, the Trojan connects to one of the following remote locations to download the cpuminer cryptocurrency miner: [http://]panel.minecoins18.com/x64[REMOVED] [http://]panel.minecoins18.com/x86[REMOVED] [http://]08.super5566.com/64.[REMOVED] [http://]08.super5566.com/86.[REMOVED] [http://]am.super1024.com/64.[REMOVED] [http://]am.super1024.com/86.[REMOVED] The Trojan downloads cpuminer to one of the following locations: %ProgramFiles%\Microsoft.NET\Primary Interop Assemblies\LMS.dat %Windir%\Fonts\msiexev.exe The Trojan contacts one of the following remote locations to download configuration for cpuminer: [http://]panel.minecoins18.com/argline[REMOVED] [http://]08.super5566.com/mine[REMOVED] [http://]am.super1024.com/mine[REMOVED] The Trojan then executes cpuminer on the compromised computer. The Trojan blocks access to port 445 on the compromised computer. The Trojan creates the following services: WHDMIDE WELM The Trojan saves the cpuminer output log to the following location: %Temp%\[RANDOM CHARACTERS]._Miner_.log The Trojan stops itself and the miner process if the following processes are running: taskmgr.exe mmc.exe procexp.exe The Trojan sends the following information to a remote location: Global IP address Malware version operating system and architecture CPU frequency Number of processors Memory size The Trojan also checks for the following processes: avp.exe nod32krn.exe mcshield.exe ccsvchst.exe 360sd.exe avguard.exe msseces.exe avastsvc.exe avgnsx.exe spidernt.exe kwatch.exe xcomsvr.exe fsdfwd.exe ravmon.exe sfctlcom.exe qhlpsvc.exe guardxservice.exe The Trojan then sends the information to one of the following remote locations and may download updates: [http://]panel.minecoins18.com/rep[REMOVED] [http://]08.super5566.com/rep[REMOVED] [http://]am.super1024.com/rep[REMOVED]
What to do now that you know about Adylkuzz?
- You can start off by taking cyber security very seriously – you should keep up with the latest in malware and cyber attacks. Share anything you find which may help the next user down the line.
- Keep Windows Updates ON – for some it may eat up bandwidth and even CPU resources but the time invested into downloading regular updates my save your files and money.
- Keep your antivirus definitions up to date – like Windows Update, update your antivirus to ensure that you are protected from the latest threats out there.
- Run full scans on your antiviruses
- Give us a call and we will handle it all for you, we should have already updated or instructed you to update Windows – if you’re unsure get in touch with us ASAP.
IntelliTeK is one of the fastest growing IT service providers that you will find on any list of managed service providers in Australia. We are always up to date with the latest threats to emails and IT security which is why we only partner with the best in the industry. If your company isn’t fully equipped to fend off cyber criminals, then get in touch with us so we can discuss your options. Call us on 1300 768 779, email us at email@example.com, fill out the web form, or have a Live Chat with us below.