The Anti-virus Times

Thursday, May 17, 2018

Many of our readers still remember the WannaCry outbreak. Several Anti-virus Times issues were devoted to the incident. Let us remind you of one fact:

So it turns out that while everyone was scared of WannaCry, Adylkuzz was much more successful at penetrating Windows computers. But media outlets didn't say a word about it.

A while ago, we mentioned the Trojan as an example to show that the media often pay much more attention to less common and less dangerous malicious programs.

Meanwhile, Adylkuzz was much more peculiar and headline worthy than WannaCry. And it generated income by mining cryptocurrencies. This advanced rogue application didn't merely launch a mining module but also compromised running processes.

Interestingly, Adylkuzz "took care" of the infected computers—once a system was compromised, it would close port 445 to prevent other WannaCry followers from infecting the computer.

After successfully exploiting the SMB vulnerability, attackers would inject malicious code into the lsass.exe process, which is always running on Windows machines. This enabled the Trojan to persist in infected systems. Most tasks were performed using out-of-the-box Windows utilities or other malicious tools.

The virus makers also created a new user account, downloaded the required utilities and updated them if those found in the system proved to be outdated. Then the malware made sure that all the components would be launched automatically… And, of course, they used Mimikatz to collect user credentials and access other remote hosts to enrol them in the Monero mining botnet.

You can find out more about this here and here. Dr.Web detects the malware as Backdoor.Spy.3365.

Adylkuzz would gobble up all the available system resources for mining and tamper with the task manager process taskmgr.exe to make sure that it wouldn't reveal the upsurge in CPU and memory usage.

So it is more than just a "running application".

There exists another sophisticated mining application called CoinMiner (Dr.Web detects it asTrojan.BtcMine.1505). It also uses the EternalBlue exploit from the NSA hacking tools collection to delete or launch the backdoor in a system. However, WMI (Windows Management Instrumentation) scripts are used to perform its basic tasks. CoinMiner is not stored on a disk as a file and uses WMI to hide its presence. Specifically, WMI Standard Event (scrcons.exe) is used to run the scripts.

WMI is a basic Windows component facilitating the automation of daily routines, scheduling, system information gathering, file operation monitoring, etc.

And JScript can be used to run WMI routines.

And let's get back to WannaCry, which we discussed at the beginning of the issue. According to British cyber-security firm Kryptos Logic (https://www.bleepingcomputer.com/news/security/wannacry-ransomware-sinkhole-data-now-available-to-organizations), in March 2018 alone, as many as 100 million requests from 2.7 million unique IPs were sent to their WannaCry sinkhole/killswitch domain. Even though WannaCry is far from being the scariest malicious suite of programs, it lives on!