By Bryan Lares and Marla Rosner
While the world has been fascinated with and affected by the ransom takeover of Wannacry, a worm that took advantage of gaps in Microsoft’s updated security patches, a new and more sophisticated variant has been playing out behind closed doors in the darknet.
Adylkuzz is different in that it doesn’t offer ransom notes or encrypt your files. It runs invisible in the background, using the NSA’s EternalBlue Exploit (CC-1353) that was made public by the hacking group Shadow Brokers earlier this year. Although it doesn’t operate at the same lightning speed as Wannacry, it’s just as threatening to corporations and the world of machine learning.
Figure 1: EternalBlue/DoublePulsar attack from one of several identified hosts, then Adylkuzz being download from another host – A hash of a pcap of this capture is available in the IOCs table. Credit: https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
By leveraging the same Windows Exploit as Wannacry, Adylkuzz slips in and operates in the background of computers. Rather than sitting behind closed doors and solely hacking information, this malware installs “mines” that generate cryptocurrency, or digital money, called Monero. This currency is generated by computer power. The more powerful the computer, the more currency can be mined out.
Figure 2: Adylkuzz mining Monero cryptocurrency, a process that can be more easily distributed across a botnet like that created here than in the case of Bitcoin, which now generally requires dedicated, high-performance machines. Credit: https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
SparkCognition has been on the forefront of cybersecurity, detecting and blocking Wannacry, Double Agent, and Popcorn Time malware with its use of its advanced cognitive security solution, DeepArmor.
DeepArmor is SparkCognition’s artificial intelligence powered endpoint security solution, using machine learning to detect cyber threats prior to them unraveling. In the case of Adylkuzz, DeepArmor’s Real-Time File Monitoring technology was able to detect and mitigate the undocumented threat autonomously. Because DeepArmor is an advanced form of cognitive endpoint detection, it was able to block this zero-day threat without any prior training, human interactions, or interventions.
By utilizing the power of both machine learning algorithms, DeepArmor detected an unknown file before it could plant a mine in the system. Adylkuzz goes beyond simply slowing down your computer system, as it silently mines and shells out cryptocurrency. This malware is intriguing to those inside the field because it blocks other viruses from infecting the computer while it’s mining, making it even more difficult to detect.
With the use of DeepArmor, which is trained with millions of malicious files for instances such as this, it detected the initial presence of the worm before the creator could drive any further action. If your system is under invisible attack by Adylkuzz, you’ll likely experience a loss of access to shared resources in Windows, along with the degradation of server performance.
Because it is less flashy than the workings of Wannacry, it can be harder to detect without the proper security measures in place. With DeepArmor, you can rest assured that your assets are being protected and your information and platforms aren’t being mined.
Adylkuzz predates Wannacry, as some researchers have noted its presence as early as April 24. With DeepArmor’s proprietary machine learning, it was able to detect the attempted presence of Adylkuzz within the system and shuts it down in a matter of seconds, not minutes. When dealing with malware, time is of the essence, and with DeepArmor, time is on your side.
Want to learn more about DeepArmor and how it protects against the latest attacks? Take a look at the webinar we presented with SANS, “How to Use the Power of Artificial Intelligence to Minimize Your Cybersecurity Attack Surface.”