Symantec Security Response – Adylkuzz Crytocurrency Miner Is Not the Next WannaCry
Adylkuzz impact and prevalence is much lower than WannaCry
There have been reports of another threat, known as Adylkuzz, leveraging MS17-010 to propagate to vulnerable machines.
MS17-010 is the same vulnerability used by WannaCry to propagate across networks however this is where the similarity
with Adylkuzz ends.
Symantec customers using IPS have been proactively protected against attempts to exploit MS17-010.
Cryptocurrency mining
The main purpose of Adylkuzz is to mine Monero, a crytocurrency similar to Bitcoin. Adylkuzz installs a known
cryptocurrency miner called cpuminer on compromised machines. Adylkuzz performs its mining operations in the background
therefore infected users are unlikely to notice its presence. However, mining operations are CPU intensive so having a
miner running on your machine could lead to performance issues.
While a nuisance, Adylkuzz does not have the same impact on compromised machines as ransomware threats which could lead
to data loss and wide scale disruption.
Propagation
Adylkuzz leverages MS17-010, also known as EternalBlue to compromise machines. Adylkuzz attackers scan the internet for
vulnerable machines to install their malware. Unlike WannaCry, Adylkuzz does not have the ability to self-propagate. It
was WannaCry’s ability to self-replicate that allowed it to spread very quickly within organisations.
Low prevalence
Due to the effectiveness of IPS in proactively blocking infections, Symantec is observing low infections of Adylkuzz.
Symantec has blocked over 44 million attempts to exploit MS17-10 and observed fewer than 200 machines with Adylkuzz
infections.
For more information or to speak to a Symantec spokesperson please contact Veronica Rojo at veronicar@botica.co.nzor visit the Symantec Security Response blog post available here.