Following our last post regarding WannaCrypt/WannaCry, a comment was made on LinkedIn about Adylkuzz :
“After WannaCry, what about Adylkuzz? Hackers are working on a global Adylkuzz cyber attack that could be even WORSE. Difficult to detect it. http://www.abc.net.au/news/2017-05-18/adylkuzz-cyberattack-could-be-far-worse-than-wannacry:-expert/8537502“.
The malware “Adylkuzz”, similarly to “WannaCrypt”, uses ETERNALBLUE and DOUBLEPULSAR to spread and establish a backdoor in to the infected computers. It seems to be active since the end April or the beginning of May.
Once “Adylkuzz” infects a computer, it will perform multiple actions such as blocking the SMB port, preventing further communication and at the same time infections by SMB, downloading a cryptominer, a tool that uses your computer’s resources to mine for currencies (in this case, Monero: a cryptocurrency similar to Bitcoin), downloading the specific instruction for the mining and sending information relative to the infected computer. It also uses technique to avoid detection, by shutting down when some actions are taken and scanning for anti-viruses. This makes “Adylkuzz” stealthier than “WannaCrypt”, as it will use your computer resources to mine Monero without warning you.
As we recommended for “WannaCrypt”, you should keep your computer up-to-date to prevent infection. Since “Adylkuzz” won’t indicate his presence by a ransom message, you should also use your Anti-virus to make sure you are not infected.
Since the attack is presumed to have started before “WannaCrypt”, it is likely that quite a few computer could be infected by “Adylkuzz”. Luckily, this malware isn’t as aggressive as “WannaCrypt”, since it won’t encrypt and destroy your files, and it was discovered because of the investigation on “WannaCrypt”.
It would have been interesting to know how many “WannaCrypt” infections “Adylkuzz” prevented by blocking the SMB port.
More on WannaCrypt : https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168