The anonymous active malware that shook the Internet followed the footsteps of WannaCry and NotPetya, which shook the world as a result of America’s largest and most secretive intelligence agency NSA being infiltrated by the Shadow Brokers, a hacker group. The National Security Agency developed tools to gain potential information, which are, in most cases, vulnerabilities and zero-days that could tear down almost every system on the planet. They were meant to be secure and to be used as a last resort at a national-level threat, which ended up being the tools for the world’s biggest malware attacks in history.
Adylkuzz is a result of this. It is a novice malware still in the wild, probably making millions or even billions for infamous cybercriminals or a foreign nation by utilizing people’s resources for their benefit. Adylkuzz is a cryptocurrency mining malware which makes money using system resources instead of asking for a ransom.
This paper aims to understand, study and provide a forensic analysis of the malware along with its scope and a complete analysis to prevent and detect it, summing up to the worst-case scenario and how dangerous this malware can be.
Background
Required Exposition
To completely understand the malware and why it originated, it is important to understand cryptocurrency mining and blockchain concepts and how they work. I hope to brush these topics for any reader with a lack of understanding or knowledge, just like when I started.
Cryptocurrency is a piece of the most expensive and ultra-secure data treated as money, which came into existence to counter fiat money’s non-transparent centralized infrastructure. Fiat money is the current money system, agreed upon based on trust in the government and maintained by a bank.
Cryptocurrency is completely transparent, open, and trackable, as all the transactions and balances are stored on every computer participating in the system, which is the blockchain, rather than only the bank. But it is impossible to gain information on who is sending what to whom, which in most cases is favorable for malicious black market or dark web trades in the present world scenario.
Blockchain is a revolutionized trusted peer-to-peer data interaction system to access, verify, and transact between systems. It is a solution for decentralizing trust and enabling direct access to data, and is in most cases referred to as being invented to power cryptocurrency.
Blockchain technology uses a decentralized network of computers to hold the ledger method of information, possibly eliminating the ability to tamper with data placed by each individual in the form of chronological blocks that cannot be rewritten. For someone to place a block of information, a cryptographic puzzle must be solved by a computer and then shared with all computers on the network as a proof-of-work. This is then verified by each computer on the network, only after which it is added as the next block to the chain, which together establishes trust among each block on the chain.
Similar to blockchain, anyone who wants to participate in updating the ledger of a cryptocurrency transaction must guess a random number that solves an equation generated by the system. If this number is correct, the individual earns a Bitcoin and gains the ability and right to write the next page of that cryptocurrency transaction on the blockchain, after being validated by each of the other individual participants, called miners, and eventually becomes a temporary banker of that cryptocurrency, in this case Monero.
After the transaction is complete, the computer generates a fixed amount of bitcoin as a reward or compensation for the time and energy spent by the individual in solving the math problem.
Origin
The Reason for Existence
The origin of Adylkuzz points straight to the complexity of solving the math problem, in other words, cryptocurrency mining, which needs an exponential amount of computational resources and proved to be non-profitable for an individual to invest in. Hence an individual or a group of prominent hackers came up with a generation of malware, referred to as a more lucrative cousin to WannaCry, built from the tools developed by the NSA.
The logic is simple: if you cannot afford the computing power to mine profitably on your own, you steal it from thousands of others without their knowledge. Adylkuzz does exactly that.
The Currency
Discovery: Why Monero?
Monero is an open-source cryptocurrency that enhances anonymity capabilities with similar functions to Bitcoin technology. As the number of users keeps increasing, the feasibility of solving the math problem, proof-of-work, for mining Bitcoin falls, resulting in almost no-profit outcomes for new miners. Due to the reputation and popularity of Bitcoin, Bitcoin blockchain data mining has emerged, through which organizations responsible for it can de-anonymize Bitcoin transactions.
To overcome these problems, Monero was developed with additional features, including ring signatures and stealth addresses, which make it a private, more secure, and untraceable currency, keeping its transactions anonymous. This is likely the reason hackers accepted payment in Monero from the WannaCry ransomware attack. It has also been observed that many darknet markets, including AlphaBay, an underground marketplace, adopted Monero, which showed a potential surge in its transaction activity.
For an attacker running a cryptomining botnet, Monero is the obvious choice: untraceable, increasingly valuable, and already normalized on criminal infrastructure.
The Exploit
EternalBlue
EternalBlue was developed by the NSA and intended to be kept secure and secret, used only against national-level threats. That changed when the Shadow Brokers, a group of hackers, infiltrated the NSA and leaked several exploitation tools, EternalBlue among them. The result was one of the biggest ransomware attack campaigns in history: WannaCry, and now Adylkuzz.
EternalBlue works on all Windows versions up to Windows 7, and some Windows 8, Windows 10, and Windows Server versions, taking advantage of multiple vulnerabilities in SMBv1, the Server Message Block protocol. A complete list of vulnerable versions is listed under CVE-2017-0144.
The Protocol
SMB Protocol
SMB is embedded into Windows as a network file-sharing protocol that allows a system to access, request, and share files or services to and from a remote server. It is also known as the Common Internet File System, functioning as an application layer network protocol that serves as a medium to share and provide access to files, printers, ports, and communication between nodes in a network.
The service has 4 widely known vulnerabilities leading to Remote Code Execution and Denial of Service. EternalBlue exploits 3 major vulnerabilities, all leading to a successful Remote Code Execution:
Wrong Casting Bug
Wrong Parsing Function Bug
Non-paged Pool Allocation Bug
Details available at: exploit-db.com/exploits/41987, 42030, 42031
Microsoft initially fixed all the vulnerabilities in systems above Windows 8.1, and later published patches for older versions due to the WannaCry campaign. However, completely overthrowing the vulnerability is impossible due to the large number of legacy systems and non-tech-savvy users still running unpatched versions.
The Backdoor
DoublePulsar
Similar to EternalBlue, DoublePulsar, a backdoor implant, was leaked by the Shadow Brokers when they infiltrated the United States National Security Agency’s Equation Group. It was found that the tool infected more than 250,000 Microsoft Windows computers and is considered much more powerful than Heartbleed.
DoublePulsar is triggered by EternalBlue. It is a multi-architecture kernel-level payload that resides in memory. Because it operates at the kernel level, it gives attackers full control over the system to run any raw shellcode payloads. It uses the SMB ports on the machine to further infect the system by loading other malware. Analysis shows this malware has specific limited tasks it can perform:
a. Running a DLL on the host system
b. Loading a shellcode
c. Uninstalling itself
d. Responding to a specific ping request
As it acts as an intermediate to load malware and further infect the system, there is a way to detect if a system is compromised. Countercept released a Python script to check this. A system infected with DoublePulsar sends a “trans2 SESSION_SETUP” request. The system responds with a different multiplexer ID: 65 (0x41) for a normal system and 81 (0x51) for an infected system. This can later be used to take control of the SMB service and further infect with other malware, launch remote code, or exfiltrate data.
Microsoft has since patched the vulnerabilities, and tools have updated enough to detect DoublePulsar, though this only allowed hackers to install custom backdoors alongside EternalBlue during the active campaign window.
Full Attack Chain
SMBv1 Exploit
Backdoor Install
Payload Drop
Mining Begins
Forensic Study
Malware Analysis
The complete attack consists of 3 parts as explained earlier. However, analysis of the initial 2 parts related to EternalBlue and DoublePulsar are not conducted in this study as they are not the main objective. For a complete and clear understanding, they are included based on bibliographic study already available. The hands-on forensic analysis below covers the Adylkuzz payload itself.
Lab Setup
Collection and Acquisition
Static Analysis
Static Analysis
The malware is packed by VMProtect (v3.00 to 3.1.2) with entropy 7.97, has a GUI interface, and is executable. No information regarding version, libraries, identifiers, or PE header information was obtainable from PEiD or PEStudio, as the application closes as soon as the malware is loaded.
Not much information was obtained from static analysis due to the packing. Moving to dynamic and behavioral analysis gives a much more complete picture.
Dynamic Analysis
Behavioral Analysis
Multiple incoming connections from a remote source were observed on the victim system’s SMB port 445, which was open and listening.
The incoming connections over the SMB port were attempting to deliver DoublePulsar, which was confirmed as Adylkuzz began functioning right after the end of incoming connections. This led to the conclusion that the exploit infects the SMB service to run and install a backdoor, which then pushes the actual payload. Cybereason captured these details, which were used for bibliographic research on the initial part of the attack.
Hands-On Forensics
Adylkuzz Malware Behavioral Analysis
The following study was conducted under the conditions above using the mentioned tools. Wireshark was initialized to capture network traffic. Process Hacker and Process Monitor were initialized with a filter on Operation: Process Create to exactly understand the working of the malware. The malware file was run with administrator privileges, as in a real attack.
The malware used the command line to kill certain programs including hdmanager.exe, mmc.exe, and msiexev.exe, stopped and deleted a service called WELM, modified firewall rules, and added filter rules using the netsh command. As stated in the work, the malware blocked SMB port 445 to deny further communication and further exploitation by itself or any other malware.
The malware also installed remote access to wmidap, a program used to update performance counters, likely to hide CPU usage from standard monitoring tools.
Another important observation: when CPU usage was viewed from Process Hacker, it started fluctuating the moment the application was closed, going to 100% and then much lower. However, msiexev.exe was found utilizing almost 100% of the CPU.
When viewed through Task Manager, the percentage dropped to almost negligible and immediately increased when Task Manager was closed. The malware is actively aware of monitoring tools and adjusts its behavior in real time to avoid detection.
The malware installed an application in the Windows Fonts location that is executed to kill or initiate any process, and is probably the miner itself. This application was observed running immediately after opening Task Manager to kill msiexev.exe.
RegShot was used to check for changes made to the registry. The result: 24 keys and 193 values added, along with 28 values modified, summing up to 245 changes in the registry. The malware changed firewall rules, installed new applications, initialized the session, changed IPsec policies, and much more.
Network Forensics
Network Forensics
Wireshark captured multiple HTTP requests immediately after running the malware.
The first request made was to Broadcom.com, actually establishing a device-to-device connection without passing through the router, followed by a second request: a layer 3 forwarding from the Netgear router in this case.
The malware then typically announces that it is successfully installed and requests instructions.
The malware then requested a text file containing instructions to run the Monero miner application, then closed the connection. Additional applications were also downloaded, including 64.exe.
Malware also reported the victim’s system configuration and details to a remote server.
Malware also reported host system details to a remote server, which is quite interesting. It also attempted to get the actual external IP from icanhazip.com.
It is also evident that a session is active and running, confirmed by smss.exe running in the victim system.
Indicators of Compromise
Indicators of Compromise
| Type | Indicator | Notes |
|---|---|---|
| Hostname | 08[.]super5566[.]com | C2 server |
| Hostname | pool[.]minexmr[.]com | Monero mining pool |
| Hostname | icanhazip[.]com | External IP lookup |
| IP | 45[.]77[.]127[.]212 | Observed C2 traffic |
| IP | 66[.]42[.]19[.]188 | Adylkuzz server (confirmed malicious) |
| IP | 66[.]42[.]108[.]166 | Observed in network traffic |
| IP | 104[.]22[.]19[.]188 | Observed in network traffic |
| IP | 77[.]234[.]44[.]86 | Observed in network traffic |
| File | msiexev.exe | Miner process (typosquats msiexec) |
| File | mine.txt | Mining instructions downloaded from C2 |
| File | 64.exe | Additional payload downloaded |
| File | WUAUSER | Persistence artifact |
| Hash | ea16ded2-227f-4161-837b-493764d9e65b | Sample identifier |
| Service | WELM | Stopped and deleted by malware |
| Service | SMB port 445 | Blocked by malware post-infection |
| Miner Wallet | 436jRfZbdEkPXJb5eiS72Vg5zdfrMTcrp9a1q9rn9KMU1r62hZbXqqc8q7D1qrShhUcQvuDNq5gvCf7ffQXutoJGPUBJXT | Monero wallet address |
Final Assessment
Conclusion
- Adylkuzz is a direct descendant of NSA tools stolen by the Shadow Brokers, repurposed to mine Monero by exploiting EternalBlue and DoublePulsar in a three-stage attack chain.
- The malware actively evades monitoring tools in real time. CPU usage drops when Process Hacker or Task Manager is open and spikes the moment they are closed. This behavior was observed and documented firsthand.
- 245 registry changes were recorded post-infection: 24 keys added, 193 values added, 28 values modified. The malware is deeply embedded and persistent across reboots.
- The malware blocks SMB port 445 after infection to prevent further exploitation by competing malware, protecting its resource monopoly on the infected system.
- A Monero wallet address was identified and is fixed to the mining hash, meaning all mined Monero goes to a single beneficiary wallet regardless of how many systems are infected.
- At the time of writing, the campaign was still active and mining, 2 years after initial discovery. Patching and antivirus remain the primary prevention controls.
References
- Bhat, Shakeel. (2017). DoublePulsar: A Very Sophisticated Payload for Windows. SecPod. secpod.com
- Distler, Dennis. (2008). Malware Analysis: An Introduction. SANS Institute.
- F-Secure Global. (2017). Analyzing the DoublePulsar Kernel DLL Injection Technique. f-secure.com
- Grossman, Nadav. (2017). EternalBlue: Everything There Is To Know. Check Point Research. research.checkpoint.com
- KAFEINE. (2017). Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar. Proofpoint. proofpoint.com
- Monaco, Fabrizio. (2017). malware-samples/Adylkuzz. GitHub. github.com
- NIST. (2018). CVE-2017-0144 Detail. NVD. nvd.nist.gov
- SentinelOne. (2019). EternalBlue: The NSA-Developed Exploit That Just Won’t Die. sentinelone.com
- Wikipedia. (2020). The Shadow Brokers. wikipedia.org