"It's Much Bigger Than WannaCry": New Stealthy Cyberattack Could Dwarf Last Week's Global Worm Epidemic

Tyler Durden's picture

Another large-scale, stealthy cyberattack is underway on a scale that could dwarf last week's assault on computers worldwide, a global cybersecurity firm told AFP on Wednesday.

Meet Adylkuzz - the new cyberattack that "is much bigger than WannaCry."

Instead of completely disabling an infected computer by encrypting data and seeking a ransom payment, Adylkuzz uses the machines it infects to "mine" in a background task a virtual currency, Monero, and transfer the money created to the authors of the virus.


Proofpoint said in a blog that symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance, effects which some users may not notice immediately.


"As it is silent and doesn't trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals. It transforms the infected users into unwitting financial supporters of their attackers," said Godier.

Proofpoint said it has detected infected machines that have transferred several thousand dollars worth of Monero to the creators of the virus. The firm believes Adylkuzz has been on the loose since at least May 2, and perhaps even since April 24, but due to its stealthy nature was not immediately detected. Proofpoint's vice president for email products, Robert Holmes, told AFP...

"We don't know how big it is" but "it's much bigger than WannaCry",


"We have seen that before -- malwares mining cryptocurrency -- but not this scale," said Holmes.

It uses the hacking tools recently disclosed by the NSA "in a more stealthy manner and for a different purpose." As InfoRiskToday details...

The SMB flaw (file-sharing network protocol) targeted by this Adylkuzz campaign existed in all versions of Windows since XP and came to light in April, via a dump of "Equation Group" tools released by the Shadow Brokers.


Many security experts believe the Equation Group is the National Security Agency, and that the Shadow Brokers may be part of a psychological operations campaign run by Russian intelligence.


One of the Equation Group exploits included in the April dump, called EternalBlue, is designed to exploit the SMB flaw in Windows. If successful, the Equation Group would then often install a backdoor called DoublePulsar onto the exploited endpoint to give it persistent, quiet access to the system.

Rather than freeze files demanding a ransom, Adylkuzz uses the hundreds of thousands of infected computers to mine virtual currency... As InfoRiskToday details...

The WannaCry outbreak began May 12. But Proofpoint says that the Adylkuzz campaign that targeted DoublePulsar and EternalBlue appears to have begun as early as April 24 - nearly three weeks earlier - and hasn't stopped.


"This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive," Kafeine says in a Monday blog post.


In addition, Proofpoint reports that multiple outbreaks that were attributed to the WannaCry campaign, but which involved no ransom notice, may, in fact, have instead been part of the Adylkuzz campaign.

As with WannaCry, the Adylkuzz malware first attempts to exploit a system via EternalBlue, and if successful then infects the endpoint with DoublePulsar, Kafeine says.

"Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection, Kafeine says. "It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools."

This Adylkuzz campaign is mining not for the world's most well-known cryptocurrency, but rather for monero.

Also known as XMR, InfoRiskToday notes that the creators of the cryptocurrency claim that it's more private and difficult to trace than bitcoin. Unlike bitcoin, it also has no hardcoded block size limit, meaning that - at least in theory - an infinite amount of monero could be mined.

So far it's not clear who's behind this cryptocurrency mining operation. A version of WannaCry seen in February contains code that was used in a 2015 attack tied to Lazarus - a hacking group security experts say ties to North Korea. But anyone could have reused the 2015 code, which is publicly available, Matt Suiche, managing director at incident response firm Comae Technologies, tells Cyberscoop.

"Attribution can always be faked, as it's only a matter of moving bytes around," he says.

As InfoRiskToday.com concludes ominously, the discovery of the cryptocurrency mining botnet shows that organizations that fail to patch their systems aren't just at risk from flashy attacks, such as WannaCry, but also stealthier attacks that don't always announce their presence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Shlomo Scheckelstein's picture

Adylkuzz, Chaim is it you again?

WTFRLY's picture


DontGive's picture

"We don't know how big it is" but "it's much bigger than WannaCry"


AltRight Girl's picture

This is nothing, the hackers that stole from NSA (read Mossad) plan to stir up other hackers to go against Russia, Iran and China's systems 

Shadow Brokers plan to Release More Hacking Tools, Nuclear and Banking Secrets

Handful of Dust's picture

Not important as maligning Donald trump 24/7 and buring down America by the fanatic left wing Democrats.

Croesus's picture

I've been saying for a while now, that they're going to dump the internet in its current form.

Too much good information on it, that gets serfs thinking a little too much.

These "super-duper virii" will cause the vermin in charge to call for "a new, more secure internet", & "an internet free from bias, hate speech, and cyberbullying".

The "new and improved" web, will be top-down control, with only approved information (MS BS) allowed.

Save/DL ANYTHING worthwhile, before it's all memoryholed.

HRH Feant2's picture

Not sure if have read or heard about "The Breaking Dawn" but Joel Rosenberg explores this idea in detail. Most people live as debt serfs in an area controlled by Donors while some folks dare to leave the safe area to be free. There are two internets with data smugglers and hackers in between. Fascinating book but never underestimate human ingenuity. Certainly there are plenty of slugs that don't know how to trim their own toenails, but plenty of other people are interested in privacy and alternate networks and alternet internets.

I have more than one TB back up drive. Good reminder to download items you care about.

Art Van Delay's picture

Best HDD is on your shoulders.

The future of Internet is of no importance to those that haven't saved/downloaded anything on that.

We'll always need serfs around, they fit the profile. 

They'll have their 10 min breaks in which they can swap audio messages. 

TwelveOhOne's picture

Am currently reading "Cracking the Code" by Phil Hendrickson, of http://losthorizons.com fame.

It describes a similar situation: there are "debt slaves" that "voluntarily comply" but don't realize that they can just as easily "voluntarily ignore those fuckers" and just live a free life.

It becomes slightly more difficult when your employer tells those fuckers that you made "income" and "wages" (which are narrowly defined in legislation, differently from how they're defined in the dictionary) -- but only slightly.  Then you need to file form 4852 to rebut their erroneous assertion.

mmanvil74's picture

The irony is, all of this ransomware, possibly designed to undermine Bitcoin and other cryptocurrencies in the eye of the public, will force .gov to "crackdown" on crypto exchanges and implement other regulations, all of which will have the unintended consequences of legalizing and recognizing cryptocurrency for what it is - better money than fiat.  

Just as has happened in Japan, new "rules" to contain cryptocurrency have served to incite a crypto buying frenzy, which will spread across the world, eventually.

dasein211's picture

Ummmm.... you don't understand cryptos. YOU DONT NEED AN EXCHANGE. You can go wallet to wallet and REALLY launder cash if needed. Or you can go cash to person back to wallet. You would think all the anti government Zerohedgers would have looked into this by now. Short of SHUTTING DOWN THE INTERNET COMPLETELY they have no chance of stopping cryptos. And let's say they DO shut down the internet. Computers can be used as mini internet servers using Golem. And storage via SIAcoin or storj. Seriously look this shit up before you open your trap.

HalinCA's picture

Golem - nice https://golem.network/

So instead of having your CPU/SSD highjacked by bad guys, you voluntarily allow complete strangers to use it.

What could possibly go wrong?


NiggaPleeze's picture


First of all, Golem will not work without the internet - it is entirely predicated on it (think "cloud computing" except everyone's PC is part of the cloud).

Second, Golem, as well as the current botnets being set up to extort ransom or to ... errhhh ... mine crypto-currencies ... hmmmm. Did you know that crypto-currencies such as Bitcoin work on a majority-of-miners basis?  Hence if someone can control a majority of miners - as has already happened - they can completely control the currency, making it not just a "fiat currency" but an "anonymously controlled fiat currency".  Bitcoin is vulnerable to a number of other known attacks.

aminorex's picture

The reason they are mining monero is simply because it is the most cash money crypto.  It is fungible because it is untraceable.


The article is wrong to suggest that monero supply is inflationary.  The reward size limit is low enough so that new coins are anticipated to roughly replace lost coins over the long run.  The supply growth rate will be less than the supply growth rate of physical gold.

LA_Goldbug's picture

That is very interesting because this has happened at more or less the time when BitCoin was making a huge recovery.

Interesting :-)

HRH Feant2's picture

Thanks for the book title and link! I am always searching for new and smart scifi or dystopic fiction!

Sorry, I didn't post the link to the book I mentioned. Here it is: https://www.amazon.com/Breaking-Dawn-Paul-Rosenberg/dp/0979987768/ref=sr...

TwelveOhOne's picture

Fuck off and die you ignorant spammer.

runswithscissors's picture

As long as it won't touch my stacks I'm good....gave up on banks years ago...if they steal my $39.50 in savings then "my bad"

Anon2017's picture

See Notice on Racism. This account needs to be banned.

Anon2017's picture

See Notice on Racism. This account needs to be banned.

tmosley's picture

Much smarter, and much less likely to piss someone off enough to put a large bounty on your head on the dark market.

swmnguy's picture

Yeah, that's what I was thinking.  Cut out the part about ransom and hostage computers, and just get straight to the money without the conscious awareness of the middleman.

jaap's picture

Count de Monero.

Zoomorph's picture

Too bad they aren't mining Shitcoin. They could take over the entire network if they doubled the processing power!

c2nnib2l's picture

bullshit sillent monero minners are on the market since last year i was interested in this shit myself

they are selling them on deep web for 60 $ for each minner plus the set up price included

on average they generate 20$ a day i thought this was too good to be true but its turned out to be correct. still this shit have nothing to do with NSA

swmnguy's picture

I think the suggestion was that the means of gaining access to computers was derived from the NSA tools.  What somebody would do with that access once they had it is up to them, and nothing to do with NSA.

Cruel Joke's picture

So it's more or less like SETI@home - except it is not voluntary. Hijacking your CPU for mining work. Devilish.

swmnguy's picture

That's how I understand it.  Yeah, devilish indeed.  Many, many people won't notice anything for a long, long time.

beaker's picture

WTF is Monero???

rhadamanthus's picture

Fuck the botnets and ransomware, but good taste in cryptocurrency. Monero is the most private and fungible digital cash. see http://monero.how

c2nnib2l's picture

as for who is behind it lol lol lol


go on the deep web idiots plenty of markets check the sellers 

BoingBoing's picture

Block size limit has nothing to do with the amount of currency mined. It determines the maximum transaction rate.

This is why bitcoin is dying - it's limited to 1MB blocks every 10 minutes. Monero responds to the network demand and changes its block size to meet it. And blocks are found every 2 minutes.

HRH Feant2's picture

The flaw with BTC is how long it takes to transfer it. I did a transfer a few days ago and it took three hours. It wasn't that much and the time delay is annoying. I can see where BTC could be faster than a wire transfer and the cost for that transfer could be cheaper than paying for a wire transfer.

BTC is a fun toy but I agree, time matters. People are used to sending an email and the other person gets it instantly. People want their funds to work in the same way.

oldschool's picture

At $1815 per, how is BTC dying?  Its share of market cap is declining due to growth in alternatives, but "dying"?

oldschool's picture

At $1815 per, how is BTC dying?  Its share of market cap is declining due to growth in alternatives, but "dying"?

RawPawg's picture

just like life itself...

the man making money off your blood,sweat,and hard drive

shimmy's picture

Now this actually seems logical for those who are into doing this evil stuff rather than lame ransomware crap.

Oh and I like the typical blame Russia shit with that shadow broker group. I'm getting so tired of this Russia boogeymen shit. 

TwelveOhOne's picture

You and me both.  Recall that they kicked out (((some folks))) and perhaps that is the reason that these (((media companies))) are vilifying the Russians, here in the States.  The more we know about their "Two Hundred Years Together" the less their tactics will work here -- thus, we learn none of it in government-run schools, or MSM.

GeezerGeek's picture

If the "Russian boogeymen shit" keeps up much longer, the Russians will be able to do anything they want and will say "stop blaming us."


WillyGroper's picture

spooks generating chaos.


Davidduke2000's picture

backed up all the data on all my computers, removed all extra internal drives and made images of all c drives, even though I have 2 antiviruses on each computer and a malwarebytes, I do not care if I get attacked , I would wipe the drive with a special Russian wipe software and use my images to re-install.

I took a picture of my dick and balls and used it as desktop backround to welcome them. 


all posters should do the same. 

Knob Creek's picture

I should use a picture of your dick and balls?

dlweld's picture

But, one little thumbnail in the corner of the screen? How does that help?