Alert - Adylkuzz Cryptocurrency Miner Distribution Campaign

Number: AL17-007
Date: 18 May 2017

Purpose

The purpose of this alert is to bring attention to, as well as provide guidance and mitigation advice for a Cryptocurrency Miner Distribution Campaign.

Assessment

CCIRC is aware of a cryptocurrency miner campaign, called Adylkuzz, which is spreading in a similar way to the recent WannaCry Ransomware campaign. Open source reports indicate that this malware predates the WannaCry campaign and is being spread using the EternalBlue exploit and DoublePulsar backdoor to typically install the cryptocurrency miner Adylkuzz. Please note that the DoublePulsar backdoor could be used to install other malware and is not limited to the cryptocurrency miner.

Symptoms of compromise may include loss of access to shared Windows resources and possible degradation of PC and server performance. Open source reports also indicate that this activity may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide. For this reason, CCIRC highly recommends applying the SMB patches to prevent further exploitation.

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

• Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
• A new patch has been made available for some  Microsoft legacy platforms, and is available here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
• If it is not possible to apply the patches, consider disabling SMBv1 and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445].  Guidance available here: https://support.microsoft.com/en-us/help/2696547
• To prevent inbound Internet connections by infected hosts, block SMBv1 ports at your network perimeter.
• To prevent your own infected hosts from infecting other external networks, block outbound SMBv1 connections at your network perimeter.
• Ensure antivirus and gateway protections are up to date.

Most often, attacks of this type are detected by diligent and well-informed users. CCIRC recommends that organizations ensure users receive current situational awareness and training, including instructions on how to report unusual or suspicious emails to their IT Security Branch. Reviewing departmental policies, requirements and security education and awareness training can help reduce this threat.

References

• AL17-006 Ransomware – WannaCry

• Proofpoint:  Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar
  https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

• Adylkuzz cryptominer is worse than WannaCry now on the loose
  http://itincanadaonline.ca/index.php/security/2158-adylkuzz-cryptominer-is-worse-than-wannacry-now-on-the-loose

Date modified:

2017-05-23