I knew that this will happen. WannaCry (also known as WannaCrypt) is famous ransomware which has achieved a spectacular success. The vulnerability used by this virus has been patched by Microsoft 2 months ago, but a lot of people do not install updates or use an out-of-date version of Microsoft’s operating system. It was a matter of time before we could see another worms using the same vulnerability. So, we have one of them, this is Adylkuzz.
Adylkuzz as the same as WannaCry uses an EternalBlue exploit stolen from NSA servers. This is based on the vulnerability in the implementation of the Samba protocol in Microsoft operating systems, more specifically Windows XP, Vista, 7, 9, 8.1 and 10. So practically all currently used versions, because no one uses Windows 98 or 2000. For a reminder, this issue has been addressed in the security bulletin MS17-010. Microsoft has even released a patch for Windows XP and Vista, but only after the first wave of WannaCry attacks. Not only ordinary computers were attacked, but also ATMs, parking meters, timetables or billboards in shops.
Adylkuzz virus uses a victim machine to generate a Monero cryptocurrency.
This is a Bitcoin-like currency that is used for anonymous online transactions. Adylkuzz after the attack of the computer does not encrypt the files. Instead of this, it installs a program called cpuminer, which is used to generate Monero coins. The purpose of the criminals is to keep the virus hidden for as long as possible. Thanks to this, criminals have free computing power that generates their income as a cryptocurrency.
Interestingly, cybercriminals have not applied in Adylkuzz the self-propagation mechanism known from WannaCry. This is a bit strange, thanks to this method, WannaCry attacked so many computers. In this case, the attackers themselves scan the Internet for vulnerable machines. Maybe they simply want to reduce the probability of detecting their virus.