New evidence has revealed that nearly three weeks before the WannaCry ransomware outbreak, at least one cybercrime group was using the same NSA exploits — ETERNALBLUE and DOUBLEPULSAR — to infect computers with malware that mined for the Monero cryptocurrency.
The only reason nobody noticed these attacks is that this particular malware — named Adylkuzz — did not destroy user data and was programmed to close down SMB ports.
While this action was done to prevent other malware from infecting the same computer and clogging precious mining resources, this had the secondary effect of protecting some previously vulnerable computers from the virulent WannaCry ransomware attacks that took place over the last 4-5 days.
The one who spotted the Adylkuzz cryptocurrency miner is Proofpoint security researcher Kaffeine, the same researcher who discovered that the WannaCry group was using the ETERNALBLUE exploit to spread to new computers.
No surprise here, as by that point Kaffeine was very well versed in detecting the NSA hacking tools. You see, the researcher noticed huge scans for the SMB port, used by the ETERNALBLUE exploit. These scans predated WannaCry by almost 3 weeks, going back to April 24.
That's when he first noticed the Adylkuzz malware infecting computers with their SMB port exposed to the Internet.
As time went by and the researcher gathered more data, he discovered a threat actor using a series of C&C servers to launch scans for SMB vulnerable machines, deploying the ETERNALBLUE exploit, installing the DOUBLEPULSAR backdoor, and then deploying the final payload of Adylkuzz.
Over the course of time, Kaffeine discovered over 20 servers used to perform these massive SMB scans. According to Kaffeine, statistics suggest that this attack may be larger in scale than WannaCry.
In fact, because Adylkuzz had infected many vulnerable machines long before WannaCry and shut down their SMB port, the malware might have accidentally saved many potential victims from having their data encrypted by WannaCry.
Kaffeine also argues that many of the attacks attributed today to the WannaCry ransomware could very well be caused by Adylkuzz.
"Symptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance," Kaffeine explains. "Several large organizations reported network issues this morning that were originally attributed to the WannaCry campaign. However, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz activity."
According to Kaffeine, the three Monero wallets used to collect the proceeds for the malware's mining operations have netted the group at least $43,000, but the crooks have almost certainly earned much more.