"It's Much Bigger Than WannaCry": New Stealthy Cyberattack Could Dwarf Last Week's Global Worm Epidemic

Tyler Durden's picture

Another large-scale, stealthy cyberattack is underway on a scale that could dwarf last week's assault on computers worldwide, a global cybersecurity firm told AFP on Wednesday.

Meet Adylkuzz - the new cyberattack that "is much bigger than WannaCry."

Instead of completely disabling an infected computer by encrypting data and seeking a ransom payment, Adylkuzz uses the machines it infects to "mine" in a background task a virtual currency, Monero, and transfer the money created to the authors of the virus.


Proofpoint said in a blog that symptoms of the attack include loss of access to shared Windows resources and degradation of PC and server performance, effects which some users may not notice immediately.


"As it is silent and doesn't trouble the user, the Adylkuzz attack is much more profitable for the cyber criminals. It transforms the infected users into unwitting financial supporters of their attackers," said Godier.

Proofpoint said it has detected infected machines that have transferred several thousand dollars worth of Monero to the creators of the virus. The firm believes Adylkuzz has been on the loose since at least May 2, and perhaps even since April 24, but due to its stealthy nature was not immediately detected. Proofpoint's vice president for email products, Robert Holmes, told AFP...

"We don't know how big it is" but "it's much bigger than WannaCry",


"We have seen that before -- malwares mining cryptocurrency -- but not this scale," said Holmes.

It uses the hacking tools recently disclosed by the NSA "in a more stealthy manner and for a different purpose." As InfoRiskToday details...

The SMB flaw (file-sharing network protocol) targeted by this Adylkuzz campaign existed in all versions of Windows since XP and came to light in April, via a dump of "Equation Group" tools released by the Shadow Brokers.


Many security experts believe the Equation Group is the National Security Agency, and that the Shadow Brokers may be part of a psychological operations campaign run by Russian intelligence.


One of the Equation Group exploits included in the April dump, called EternalBlue, is designed to exploit the SMB flaw in Windows. If successful, the Equation Group would then often install a backdoor called DoublePulsar onto the exploited endpoint to give it persistent, quiet access to the system.

Rather than freeze files demanding a ransom, Adylkuzz uses the hundreds of thousands of infected computers to mine virtual currency... As InfoRiskToday details...

The WannaCry outbreak began May 12. But Proofpoint says that the Adylkuzz campaign that targeted DoublePulsar and EternalBlue appears to have begun as early as April 24 - nearly three weeks earlier - and hasn't stopped.


"This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive," Kafeine says in a Monday blog post.


In addition, Proofpoint reports that multiple outbreaks that were attributed to the WannaCry campaign, but which involved no ransom notice, may, in fact, have instead been part of the Adylkuzz campaign.

As with WannaCry, the Adylkuzz malware first attempts to exploit a system via EternalBlue, and if successful then infects the endpoint with DoublePulsar, Kafeine says.

"Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection, Kafeine says. "It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools."

This Adylkuzz campaign is mining not for the world's most well-known cryptocurrency, but rather for monero.

Also known as XMR, InfoRiskToday notes that the creators of the cryptocurrency claim that it's more private and difficult to trace than bitcoin. Unlike bitcoin, it also has no hardcoded block size limit, meaning that - at least in theory - an infinite amount of monero could be mined.

So far it's not clear who's behind this cryptocurrency mining operation. A version of WannaCry seen in February contains code that was used in a 2015 attack tied to Lazarus - a hacking group security experts say ties to North Korea. But anyone could have reused the 2015 code, which is publicly available, Matt Suiche, managing director at incident response firm Comae Technologies, tells Cyberscoop.

"Attribution can always be faked, as it's only a matter of moving bytes around," he says.

As InfoRiskToday.com concludes ominously, the discovery of the cryptocurrency mining botnet shows that organizations that fail to patch their systems aren't just at risk from flashy attacks, such as WannaCry, but also stealthier attacks that don't always announce their presence.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
ModernMusket's picture

Always do the same. Externals are cheap and great. Pack everything in there, back up to it, and then unplug it.

dark fiber's picture

Here is a simple solution.  Dump Windows.  Won't cost you a penny and will pay for itself in the long run.

TwelveOhOne's picture

Agree with everything except the assertion at the beginning of the last sentence, because -- time is not free, and it takes time to learn and deploy something new (Linux, FreeBSD, or other alternatives).

Bill of Rights's picture

Soon comes the ATM and credit card kill switch metals are nice but I prefer cash ..

GeezerGeek's picture

If you prefer cash you should love Monero. The article says that "an infinite amount of monero could be mined." Which makes it every bit as valuable as that FRN you prefer.


El_Puerco's picture


WHAT IS INTERESTING is italian servers are all down (those that skirt laws)

like they had a heads up

wisehiney's picture

This sounds like something those dudes in that movie would do.

You know, the one with brad pitt and ed norton.

Ajax_USB_Port_Repair_Service_'s picture

I sure hope the government(s) step in and save us from all these cyber attacks!

Davidduke2000's picture

these are cia attacks, what government you are talking about?? how do you think the cia knew that the attackers got only $70,000 so far ???

Dilluminati's picture

Cryin' won't help you, prayin' won't do you no good
Now, cryin' won't help you, prayin' won't do you no good
When the levee breaks, mama, you got to move

LA_Goldbug's picture

Soon You will be required to bring you PC/laptop to the local DHS office to have them screened and given a license before being allowed to connect to the Network.

If not you ass will be guillotined :-)

barysenter's picture

Adios low hanging fruits.

Dilluminati's picture

I think you summed it up.. tomorrows internet not for everybody, might be an improvement?

Dilluminati's picture

I just kicked off a clonezilla backup and will follow up tomorrow with spous and take nas offline until this stupid shit passes.  I also have setup backup laptops and have been manually updating my virus definitions.   It will take me a bit over an hour to backup however once I have the boot done I can take over the rest as files.   If you don't have clonezilla or don't have a NAS and you have stuff you do not want to lose, I suggest that you get both or take a chance of actually sending bitcoin in some hope that you get your stuff back. 

I will laugh at the numbskulls who thought these hackers were Robin Hood when your computer is pwnd by some 3rd world useless easter who wouldn't send the key if you paid.

Again good luck and run some NMAP if you know how.

Clonezilla, USB, and WD drive with ethernet is my suggestion, or you can pay that later and have nada

yellowsub's picture

you really only need to be worried if you or someone in your house hold goes ot stupid websites and clicking unknown email links...  

Virus scanners only protect you if this is an existing exploit which these are not.  

If these guys want to hack your system, there's nothign you can do to protect it becaue tehy'll find a way if you're on Windows.  Better to switch to different OS

Thats' why for the most part infosecurity is a farce like independent auditors public company hire.  

Davidduke2000's picture

If these hacks are freaking out people and the government, why people re not prepared, what would people do if there is few burst of EMP?? I am prepared, I built a Faraday  Cage and put inside it hard drives, all my backups 10 TB, USB drives, 2  motherboards complete with memory, CPU, fans, external dvds, power supplies, windows OS, a laptop,blackberry cellphone, video cam, digital cam, film cam, 5 rolls of films, and some medical equipment, radio all brand new , the entire cage is covered by a sheet of copper.

uhland62's picture

Not everybody can do that. My recipe is no link to my bank account on the computer or any other digitial device and certainly no cryptocurrency. Nothing is safe because every wall one man can build another man can tear down. 

squid's picture

What did you use on teh comms lines and power lines that go INTO your cage?



Tall Tom's picture




Surge protectors in series will suffice for power. Redundancy is good.


As got comm perhaps that can be surfe protected also?


But the prblem is that while his equipment will remain intact, how many others willl have the same precaustions?


Few. Thus the net dies.


So what good is equipment that cannot be used?

squid's picture

For the AC stuff you want to make sure its fast enough to react.

For ethernet and telephone the safest thing is just to put a fiber card in your rig and convert everything to fiber and connect with that.


You save your machine not for the photos, but what's on it.

You should do a bit of hunting, download as much of the following you can find:

Good physcis texts, pdf format,

Plenty of engineering books, pdf formt,

Plenty of of first aid books, pdf format,

Plenty of animal husbandry texts, pdf format.

Service manuals for any of your older vehicles.


If there is an EMP, that information will be invaluable.



yellowsub's picture

I think you'd have more issues than securing your electronics if that happens.  

Short of my photos, I have nothing digital that rarely backup when upgrading to new machines.  

squid's picture

Unix farms based on NSF are NOT affected by this nor are Apple system using apple talk.

The infection vector is the SMB protocol, Server Message Block Protocol, its the archane CRAP Microsoft has used since windows for work groups. Its fucking horrible in everyway but its on all winDOZE machines.


Your simple solution if you are a Windoze user is to:

1. Open you control panel,

2. Go to the network settings,

3. Go to adjust adapter settings,

4. On the network adapter, unclick windows file and printer sharing, click apply.


You are done.

If you want to print, install the TCP/IP direct printing. You will have lost all SMB file sharing facilities but ftp, tftp and sftp will still work fine.


If you want to check if you are infected you need to do it from the console as all of these trojans, for the last 20 years, spoof the task manager display so you can't see what is going on, you won't see the trojan or its disply name will be something normal.

1. Open a console, power shell or cmd.exe,

2. At the power shell enter this command:

 tasklist /svc

3. There will be a screen dump of columns, the import thing we want is the PID (process identifier) and program/service name,

4. At the console, enter the following command:

netstat -a -n -o

5. You will get a dump of stuff. This command is showing you all the TCP and UDP servers running on your machine waiting for connections, all the connections your machine has to other servers, and the far right column shows you the PID of the process responsible for those connections. Its the last one that you need to identify exactly what process is responsible for what connection.


If you are a casual user, you're lost at this point. I feel for you......go buy a mac. You can't be using windows, you're a lamb at a wolf convention. Buy a Mac. Done.


If you are a bit up to speed, then you need to identify everything that is connected to something else on your machine by PID. The only tripup you might have is that many trojans attach themselves to generic windows HOSTS services that can have many processes running under them, stuff that is innocent can get mixed with nafarious junk. Now, what these things usually do is there are 2 or 3 services that are running:

Bad service one calls bad service two when the machine boots OR if you've peeled out the files and registry location of bad service two, it will reinstall thm (clever little dear, that Pinoy Chap in 1997 was the first one I saw do this back then).

Bad service two will call bad service three if its not running, if it can't find the files or registry entries for bad service three(because you were trying to clean up you machine), it will reinstall them. Again, clever.

Bad service three is likely the one you will find using netstat.


At this stage you need to get Marc Rossovich's process explorer, you can get it from Microsoft since they bought out SysInternals some years bach, Russovich works for the Devil now. Process explorer will show you the tree of processes, which one started which other one and using this and the service control manager you can crawl up the process tree to find out the grand daddy, kill it and peel it out. You will need to get into the registry, find the rouge entries and remove those as well.


If anything that I just described scared you, confuses you and just sounded like jibberish....put your important files onto 64GB USB stick, copy over what you want, turn off your computer and go out and buy a Mac. I'm serious here, you shouldn't be using windows, you're too easy to exploit. Buy a mac.


If what I wrote doesn't scare you, get after it. When  you're done, seriously look at installing a linux distibution. many people have complained its behind on this or that.....not sure what that means. The way I look at it, if you're going to try and learn Unix, then go full bore....forget Ubuntu, Mandrake, Debian or Suse.....go gentoo. Gentoo compiles EVERYTHING from source code. If you want bleeding edge, just unmask the lastest released test versions, and emerge it (emerge is the python base packaged manager that does all the secretary work of making sure you have the appropriate library packages built on your machine, versions, before call the make to build tha packages.). It will be tough, you will have lots to learn but, and this is important, YOU WILL HAVE THE SOURCE LUKE!!! Make sure to compile your own kernel and turn off all the NSA crap. Its in there and not hidden, you can see it,its right in front of you. Learn IP tables...which I am no expert in. I simply don't have anthing running on my external interfaces so there is no vector into my machine....except for ssh on a port I won't tell you.


Also, don't mount your boot partition unless you are updating your kernel. A trojan that might happen to get into your machine does not know root's password and can't mount disks...it can't find the actual kernel because the partition is not mounted...it also can't touch etc.... Most linux distributions won't even allow you to start X as root...because only and IDIOT would run as root...which is of course how most windows users run which is why we're having the rather long conversation in the first place.

Remeber, these worms and trojans can only run on windows machines. It doesn't mean you are not in danger of getting a unix root-kit, you are but simple things like:

1. Disabling ssh root login (this is default, if you're dumb enough to enable it well, you're a big boy, go for it),

2. No telnet server,

3. Don't run an SMB server,

4. and do NOT have 12345 as your root password.


This is is real. If you want a laugh, just enable port 22 on your Internet facing router and watch the continual probes that will immediately start try into log into your ssh server.....root@admin, rooot@12345, root@root, etc...it will go on 24 hours a day seven days a week. They are looking for a noob that has allowed root login over ssh with a stupid password....you'd be surprized how common that is. I just move my ssh port and and ignore it....and don't all root login over ssh.


If you need more infor and peeling this shit out of your windows machine, lemme know.



Dilluminati's picture

poormans wireshark.. nicely done

heh wait a second wireshark is free

DuneCreature's picture

Wow, that was a nice little gift there, Squid.

Live Hard, People Like You Make My Day, Die Free

~ DC v5.0

bluez's picture

I used to worry about all that. It is all true, and I have concluded that Windows is one giant expensive Trojan. Using linux now (Refracta Linux, no systemd). Life is mostly simpler, you just have to learn a few magical incantations and type them in now and then.

squid's picture

Agreed on systemd.

Aparentsly its written by the same guy that wrote pulse audio, a finicy little POS of code the skype needs to run. If you even install it you're gforever fucking with it, its CRAP.

AND SystemD is no 500,000 lines of code.....

YOU HAVE GOT TO BE KIDDING! Fully supported by the NSA. They want it big, bloaty and unmanageable because then the code is more difficult to audit. I'm using Gentoo's Openrc. I looked at systemd but there are too many horror stories from sys admins who've had complete server farms go belly up with it.


Yah, stay with Openrc....if you want to see how it works, just read the startup scripts in /etc/runlevels



LA_Goldbug's picture

I am guessing that for a guy who has been using a PC for 25 yrs. but is not an IT guy this Linux may not be best for me,

"Gentoo Linux is a versatile and fast, completely free Linux distribution geared towards developers and network professionals. Unlike other distros, Gentoo Linux has an advanced package management system called Portage. "

I'm mainly a web-surfer on my personal machine.

rygar's picture

Linux Mint for you then. Easy to install and maintain for a person who undestands what 'disk partition' is. Its not super safe, but still better than MS

LA_Goldbug's picture

As always, Thank You Squid. That was very helpful.

barysenter's picture

They only got 70k. ROFLLMAO

PhiPhi's picture

Micro$oft appear to be getting off very lightly on these recent exploits, 20% of the time their updates will cause serious problems which take hours to resolve even if a workaround is available.  The Windows 10 policy of non-optional updates is unsuitable for anyone wanting a stable systems environment as potentially system apps, tools and features can be removed or added at the whim of Micro$oft with no choice for the user.

Linux should be the answer but it's not, as bad as M$ is Linux support always reverts to the command line with unfamiliar, cryptic strings.  The Linux fans don't seem to see this as a problem but I believe it's the biggest barrier to widespread adoption (along with lack of support from game/hardware developers).

Armed Resistance's picture

This reads like a lame after-school special. Fear, fear, fear and more fear. And for goodness sake, DO NOT remove your fiat currency and trade it for something that could be devalued without you knowing! Let the professionals handle that business!!

onmail1's picture


LA_Goldbug's picture

Sales of Windows OS are going to go through the ...... floor.

PS: There should be a special program for PC which keeps track of the cost of maintaining that PC's Windows OS. Down time included. I bet that would be very enlightening.

Does anyone have any sources of info as to how much it cost to have OS running on a firms/corp machine ?