SCF Portal Stats

Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42953
  • Total Topics: 16151
  • Online Today: 4651
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

« previous next »
Pages: [1]

Author Topic: Adylkuzz CoinMiner Spreading Like WannaCry  (Read 2029 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Adylkuzz CoinMiner Spreading Like WannaCry
« on: 25. May 2017., 14:59:32 »
Adylkuzz CoinMiner Spreading Like WannaCry

The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and in a few others by our fellow McAfee researchers.

Today we learned that another malware family is using the same exploit to spread itself to vulnerable machines. The malware Adylkuzz is a CoinMiner malware, which means that it employs—without user consent—machine resources to mine coins for virtual currencies. This specific variant was used to mine Monero coins.

This CoinMiner is not a new variant. We have seen samples as old as October 2014, but it has increased in usage since April. Online reports mention that this malware have infected machines after a successful exploitation of the MS17-010 vulnerability followed by the installation of the backdoor malware EternalBlue/DoublePulsar.

Adylkuzz has not changed much in all these years, as we can see by comparing the code among the different waves. For example, the following graphs represent code differences between the October 2014 variant and the first wave starting in April this year:



The number of functions that changed was very small:
•Identical functions: 1,553
•Matched functions: 18
•Unmatched functions: 167

The same can be seen between the April variant and the latest samples received:



•Identical functions: 1,617
•Matched functions: 0
•Unmatched functions: 178

Because the malware has not changed and does not contain any code to exploit the SMB v1 vulnerability, we believe that some actor is leveraging the vulnerability by scanning remote hosts using a tool such as Metasploit and installing the CoinMiner malware via the DoublePulsar backdoor. A porting of the MS17-010 exploit is already available for Metasploit.

As this is old malware, McAfee has long had detection for it. We detect most of the samples as Packed-GV!<partial_md5> and Raiden detection RDN/Generic.grp.

Customers might also want to follow the generic guidelines for blocking, whenever possible, the network ports used by the exploit (TCP/445 and UDP/137) to avoid further infections.


Original article: By Guilherme Venere on  May 17, 2017
Logged
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Adylkuzz CoinMiner Spreading Like WannaCry
« on: 25. May 2017., 14:59:32 »
Pages: [1]
« previous next »
 

+ Quick Reply

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising