The Anonymous Parasite:

Crypto Currency Miner Malware
The anonymous active malware that shook the Internet followed the footsteps of WannaCry and NotPetya, which shook the world as a result of America’s largest and most secretive intelligence agency NSA being infiltrated by shadow brokers, a hacker group. National Security Agency developed tools to gain potential information, which are, in most cases, vulnerabilities and zero-days that could tear down almost every system on the planet. They were meant to be secure and to be used as a last resort at a national level threat, which ended up being the tools for the world’s biggest malware attacks in history.
Adylkuzz is a result of this, this is a novice and still in the wild probably making millions or even billions to infamous cybercriminals or a foreign nation by utilizing people’s resources for their benefit. Adylkuzz is a cryptocurrency mining malware which makes money using systems resources instead of asking as a ransom.
This paper aims to understand, study and provide a forensic analysis of the malware along with its scope and a complete analysis to prevent and detect summing up to the worst-case scenario and how dangerous malware can be.

Required Exposition

To completely understand the malware and why it originated, it is important to understand cryptocurrency mining and blockchain concepts in working. I hope to brush these topics for any reader with a lack of understanding or knowledge, just like when I started.

Cryptocurrency is peace of the most expensive and ultra-secure data treated as money, which came into existence to counter Fiat money’s [current money system, which is agreed upon based on trust in the government and maintained by a bank] non-transparent centralized infrastructure. Cryptocurrency is completely transparent, open, and trackable, as all the transactions and balances are stored on every computer participating in the system (BlockChain) rather than only the bank. But impossible to gain information on who is sending what to whom, which in most cases is favorable for malicious black market or dark web trades in the present world scenario.

Blockchain is a revolutionized trusted peer-to-peer data interaction to access, verify, and transact with each system which is a solution for decentralizing, trust, and direct access of the data that is, in most cases, referred to be invented to power the cryptocurrency.

Blockchain technology uses a decentralized network of computers to hold the ledger method of information, possibly eliminating the ability to tamper with the data placed by each individual in the form of chronological blocks that cannot be rewritten. And for someone to place a block of information, a cryptographic puzzle should be solved(solved by a computer) and then shared with all the computers on the network as a “proof-of-work,” which is then verified by each computer on the network only after which it is added as a next block to the chain together which establishes trust among each block on the chain.

Coming back to the final reason explanation, similar to blockchain, anyone who wants to participate in updating the ledger of a cryptocurrency transaction should guess a random number that solves an equation generated by the system. If this number is correct, the individual can earn a Bitcoin and the ability or the right to write the next page of that cryptocurrency transaction on the blockchain after being validated by each of the other individual participants [called Miners] and eventually becomes a temporary Banker of that crypto currency[In this case Monero]. After the transaction is complete, the computer generates a fixed amount of bitcoin as a reward or compensation for the time and energy spent by the individual in solving the math problem.

The Reason of Existence

The origin of Adylkuzz points straight to the complexity of solving the math problem, in other words, Cryptocurrency mining, which needs an exponential amount of computational resources and proved to be non-profitable to invest in such resources by an individual. Hence an individual or a group of prominent hackers came up with a generation of malware or referred to as a more lucrative cousin to WannaCry, from the tools developed by the NSA.

Discovery

Monero is an open-source cryptocurrency that enhances anonymity capabilities with similar functions to Bitcoin technology. As the number of users keeps increasing, the feasibility of solving the math problem[proof-of-work] for mining bitcoin falls, almost resulting in no-profit outcome for new miners. And also, due to the reputation and popularity of Bitcoin, Bitcoin blockchain data mining came into existence through which the organizations responsible for it can de-anonymize Bitcoin transactions. Thus, to overcome these problems, Monero is developed with additional features, which include Ring signatures and stealth addresses, which make it a private, more secure, and untraceable currency keeping its transactions anonymous.
This might be the reason for hackers to accept payment in terms of Monero currency from the WaannaCry Ransomware cyber-attack. It is also observed that many of the darknet markets, including AlphaBay, an underground marketplace adopted Monero, which showed a potential surge in its transaction activity.

EternalBlue

EternalBlue was developed by NSA and intended to keep it secure and secret and use it against national-level threats. This turned when The Shadow Brokers, a group of hackers, infiltrated NSA and leaked several exploitation tools, which also includes EternalBlue, the result of which is one of the biggest ransomware attacks campaigns WannaCry and now Adylkuzz.
EternalBlue works on all Windows versions up to Windows 7, and some of the Windows 8, Windows 10, and Windows server versions are taking advantage of multiple vulnerabilities in SMBv1[Server Message Block]. A complete list of vulnerable versions is listed under CVE-2017-0144.

SMB Protocol

It is embedded into Windows as a network file-sharing protocol that allows a system to access, request, and allow files or services to and from the host system to and from a remote server. It is also known as the common Internet file system by its functionality as an application layer network protocol that serves as a medium to share and provide access to files, printers, ports, and communication between nodes in a network.
The service consists mainly of 4 widely known vulnerabilities that lead to Remote Code Execution and Denial of service. EternalBlue exploits 3 major vulnerabilities, all leading to a successful Remote Code execution. Details of the exploits are available almost to everyone due to the page limit concentrating on malware. However, the vulnerabilities can be found here.
Wrong Casting Bug
Wrong Parsing Function Bug
Non-paged Pool Allocation Bug
https://www.exploit-db.com/exploits/41987
https://www.exploit-db.com/exploits/42030
https://www.exploit-db.com/exploits/42031
Microsoft initially fixed all the vulnerabilities in all the systems above Windows 8.1, later published to former versions due to the WannaCry campaign. But the extent of completely overthrowing the vulnerability is impossible due to a large number of legacy systems and non-tech savvy users.

DoublePulsar

Similar to EternalBlue, DoublePulsar, a backdoor implant, was leaked by the ShadowBroker group when they infiltrated the United States National Security Agency’s Equation Group. It was found that the tool infected more than 250000 Microsoft Windows computers and is much more powerful than Heartbleed.
DoublePulsar is quite interesting and triggered by EternalBlue; it is a multi-architecture kernel-level payload that resides in memory. As it is a kernel-level, it gives attackers full control over the system to run any raw shellcode payloads. It uses the SMB ports on the machine to further infect the system by loading other malware into the system. It is analyzed that this malware has specific limited tasks it could perform, which include running:
a. a DLL on the host systems
b. Loading a Shellcode
c. Uninstalling itself
d. Responding to a specific ping request.

As it acts as an intermediate to load malware and further infect the system, there is a way to detect if the system is compromised or not. Countercept released a Python script to check this. The system infected with this sends a “trans2 SESSION_SETUP” request intended to check whether is system is compromised or not. The system will respond with a message with different multiplexer ID 65(0x41) for the normal system and 81(0x51) for the infected system and later which can be used to take control of SMB service, and further infect with other malware, launch remote code or even to exfiltrate data.
Microsoft has patched the vulnerabilities later, and recently, tools have updated enough to detect DoublePulsar, which only allowed hackers to install custom backdoors along with EternalBlue.

Malware Analysis

The complete attack consists of 3 parts, as explained earlier. However, analysis of the initial 2 parts related to EternalBlue and DoubePulsar are not conducted in this study as they are not the main objective; however, for a complete and clear understanding, I added them to the study based on bibliographic study already available.

Collection and Acquisition

Environment: I chose to use Windows 7 Virtual machine with VMWare as the particular Operating system is vulnerable. I also later tried it on a Windows 10 VM to find the same behavior of the malware. And for accurate results, turn off windows defender and any antivirus present in the system.
Steps: Updated VMware and took a snapshot, initialized all the tools, turned off windows defender and Firewall in windows 10, initialized virtual machine network to NAT in Windows 7, and Bridged in Windows 10 to understand and experiment with the malware Behavior.
Malware: I have downloaded 2 different samples of the malware from any. run, which is the same sample on Maltiverse.com, and VirusTotal checked the hashes to validate the samples. And another sample from GitHub.
Tools: I intended to perform Behavioral, Network analysis and conclude with threat analysis of the malware using Process Hacker, Wireshark, Process Monitor, RegShot, PEiD, PEStudio, CFF Explorer, and EXEInfo PE.

Static Analysis

It is observed that the malware is packed by VMProtect (v3.00 – 3.1.2) with entropy 7.97 and with GUI interface and is executable. But no information regarding version, libraries, Identifiers, or PE header information from PEiD or PEStudio as the application closes as soon as the malware is loaded.

Found Section Headers of the malware from CFF explorer.

Not much information is obtained from static analysis hence moving to Dynamic analysis and Behavioral Analysis.

Behavioral Analysis

It is observed that multiple incoming connections from a remote source on the victim system’s SMB port 455 which is open and listening.

Later observed that the incoming connections over the SMB port were attempting to deliver DoublePulsar, which was confirmed as the Adylkuzz began functioning right after the end of incoming connections. Hence concluded that the exploit infects the SMB service to run and install a backdoor further to push the actual payload. Cyber reason captured these details, which I used for bibliographic research of the initial part of the attack

1 KAFEINE, Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar(proofpoint, 2017).

From these images, it is evident that the DoublePulsar backdoor is responsible for/used to download the Adylkuzz botnet using the svchost.exe application from that particular IP address. This is concluded as multiple antivirus vendors found the IP addresses malicious.

KAFEINE, Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar(Proofpoint, 2017).

Adylkuzz Malware Behavioral Analysis

The following study is conducted based on the above conditions and using the above-mentioned tools. I initialized Wireshark to capture network traffic, initialized Process Hacker and Process Monitor and applied filteràoperationàProcess Create. To exactly understand the working of malware. Ran the malware file with administrator privileges as in a real attack.

Multiple processes similar to the above flashed on the screen immediately after running the malware. Also found, multiple processes are created in Process Monitor.

We found that the malware used the command line to kill certain programs like hdmanager.exe, mmc.exe, and msiexev.exe, stopped and deleted a service called WELM, modified firewall rules, added filter rules using netsh command. As stated in the work, the malware blocked the SMB port 445 to deny further communicating and relatively further exploitation by itself or any other malware.

And also found running a program something related to Monero, probably a mining application.

It also installed remote access to wmidap which is a program to update performance and probably to hide the CPU usage.

Another Important observation was when I tried to see CPU usage from Process Hacker, the CPU usage started fluctuating the moment I closed the application to 100 and then much less however found msiexev.exe service utilizing almost 100 percent of the CPU.

And when viewed by the task manager dropped, the percentage to almost negligible and immediately increased the usage when closed.

The malware installed an application in Windows Fonts Location that is executed to kill or initiate any process and probably the miner itself. Observed the application running immediately after running task manager to kill msiexev.exe which is installed by the malware.

I used RegShot to check for changes made in the registry and found 24 Keys and 193 values added to the registry, along with 28 values being modified, summing up to 245 changes in the registry.
It is evident that malware changed firewall rules, installed new applications, initialized the session, changed IPsec Policies, and much more.

Network Forensics

Wire shark captured multiple HTTP requests immediately after running the malware.

Found the first request made is to Broadcom.com, which is actually establishing a device-to-device connection without passing through the router in between, followed by the second request, a layer 3 forwarding from Netgear router [in this case].

Then it typically announces that it is successfully installed and requests instructions.

Later it is evident that the malware requested a text file consisting of instructions to run the Monero miner application, then closed the connection. Then malware also downloaded certain applications, which include 64.exe,

Malware also reported the victim’s system configuration and details to a remote server.

Malware also reported host system details to a remote server which is quite interesting. It is also tried to get actual IP from icanhazip.com as well.

It is also evident that a session is active and running which is confirmed by smss.exe running in the victim system.

Indicators of Compromise

HostName – 08[.]super5566[.]com, pool[.]minexmr[.]com, icanhazip
IP – 45[.]77[.]127[.]212, 66[.]42[.]19[.]188(Adylkuzz server), 66[.]42[.]108[.]166, 104[.]22[.]19[.]188, 77[.]234[.]44[.]86
04-19-2020
File – msiexev.exe, mine.txt, 64.exe, WUAUSER
Hash -> ea16ded2-227f-4161-837b 493764d9e65b
Services – WELM, SMB
Miner Hash – 436jRfZbdEkPXJb5eiS72Vg5zdfrMTcrp9a1q9rn9KMU1r62hZbXqqc8q7D1qrShhUcQvuDNq5gvCf7ffQXutoJGPUBJXT

Conclusion

It is observed that the malware stays active and initializes even after a restart with the same remote host and creates a session. The system performance hits 100% and later hangs and becomes unusable. For Windows 10 firewall, Windows Defender and any other security should be turned off and malware did not affect the host system in any way and worked similarly in both the operating systems. 

Later it is observed that the mining process is fixed to a hash. It is quite surprising to see the attack working on a Windows 10 system which is possible if initial steps of EternalBlue are somehow replaced[For this analysis it is directly downloaded from an online source]. 
It is also evident that 2-year-old attack campaign is still active and mining Monero cryptocurrency. The malware can be completely prevented by patching the latest updates and installing good antivirus. Indicators of compromise can be installed into detection systems and found recent updates have made it easy to detect Adylkuzz. The Malware itself is quite robust and complex capable of doing far more hideous actions to/on the victim system.

The various analysis steps display how powerful the malware is and how brilliantly designed to stay anonymous while utilizing the resources and making money for its owner like a parasite.

References
Bhat, Shakeel. 2017. DoublePulsar – A Very Sophisticated Payload for Windows. 01 June. Accessed April 17, 2020. https://www.secpod.com/blog/doublepulsar-a-very-sophisticated-payload-for-windows/.
Distler, Dennis. February 12, 2008. Malware Analysis: An Introduction. SANS Institute.
Global, F-Secure. 2017. Analyzing the DOUBLEPULSAR Kernel DLL Injection Technique. 19 April. Accessed April 18, 2020. https://blog.f-secure.com/analyzing-the-doublepulsar-kernel-dll-injection-technique/.
Grossman, Nadav. 2017. EternalBlue – Everything There Is To Know. 29 September. Accessed April 17, 2020. https://research.checkpoint.com/2017/eternalblue-everything-know/#bugc.
KAFEINE. 2017. Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar. 15 May. Accessed April 17, 2020. https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar.
Monaco, Fabrizio. 2017. malware-samples/Adylkuzz/. 18 May. Accessed April 18, 2020. https://github.com/fabrimagic72/malware-samples/tree/master/Adylkuzz.
NIST. 2018. CVE-2017-0144 Detail . 06 June. Accessed April 17, 2020. https://nvd.nist.gov/vuln/detail/CVE-2017-0144.
SentinelOne. 2019. Eternalblue | The NSA-developed Exploit That Just Won’t Die. 27 May. Accessed April 17, 2020. https://www.sentinelone.com/blog/eternalblue-nsa-developed-exploit-just-wont-die/.
Wikipedia. 2020. The Shadow Brokers. 06 April. Accessed April 17, 2020. https://en.wikipedia.org/wiki/The_Shadow_Brokers.