Intellitek Intellitek
Move over WannaCry, there’s a new Ransomware in town
Home 5 Blog 5 Move over WannaCry, there’s a new Ransomware in town
Move over WannaCry, there's a new Ransomware in town | IntelliTeK Managed IT Services Sydney Australia

Adylkuzz is a CoinMiner malware, which means that it employs – without user consent – machine resources to mine coins for virtual currencies. It appears to exploit the same vulnerabilities as the WannaCry ransomware did but in a more stealthier fashion.

On paper WannaCry was the more damaging in the sense that it threatened the victim with data loss and extortioned money from its victims. Adylkuzz on the other hand is a lot less in your face and operates in the background, using the victims machine to mine crypto keys to turn it into something with monetary value. What that means is the malware consumes resources on the machine, such as using CPU cycles.

So whoever is behind the attack creates an army of machines, with each one running a program in the background of the machine which link up with other machines infected and altogether create small amounts of cryptocurrency. These programs mostly go unnoticed by the computer’s owner. The bigger problem here is that mini crypto currency is one thing, once a victims computer has been infiltrated it could lead to something far worse.

There’s nothing official about who is behind WannaCry or Adylkuzz, but there is speculation that WannaCry was related to North Korea due to the software behavioural characteristics sharing similarities to the Sony attack in 2014 — which was attributed to DPRK. Since Adylkuzz is a newly discovered ransomware and isn’t as immediately destructive as WannaCry was, there is very little to go by surrounding its origins. But the public must stay alert and carry on keeping a close eye on emails and in this instance with CPU usage.

The importance of downloading update patches cannot be at its highest. The truth is, WannaCry and Adylkuzz were fixed/patched two months ago. The main reason why WannaCry came to life on May 12, 2017 was that not every machine on the planet were up to date with their patches. Microsoft addressed the WannaCry malware back in March 2017, but organisations around the world – small businesses to large corporations – still hadn’t updated their Windows and that’s where it all went haywire.

Here’s the techy details of Adylkuzz:

Once executed, the Trojan creates the following files:

%ProgramFiles%\Hardware Driver Management\windriver.exe
 %Windir%\Fonts\wuauser.exe


The Trojan connects to one of the following remote locations 
to report installation:

[http://]panel.minecoins18.com/install/st[REMOVED]
 [http://]08.super5566.com/install/st[REMOVED]
 [http://]am.super1024.com/report/st[REMOVED]


Next, the Trojan connects to one of the following remote locations 
to download the cpuminer cryptocurrency miner:

[http://]panel.minecoins18.com/x64[REMOVED]
 [http://]panel.minecoins18.com/x86[REMOVED]
 [http://]08.super5566.com/64.[REMOVED]
 [http://]08.super5566.com/86.[REMOVED]
 [http://]am.super1024.com/64.[REMOVED]
 [http://]am.super1024.com/86.[REMOVED]


The Trojan downloads cpuminer to one of the following locations:

%ProgramFiles%\Microsoft.NET\Primary Interop Assemblies\LMS.dat
 %Windir%\Fonts\msiexev.exe


The Trojan contacts one of the following remote locations to download 
configuration for cpuminer:

[http://]panel.minecoins18.com/argline[REMOVED]
 [http://]08.super5566.com/mine[REMOVED]
 [http://]am.super1024.com/mine[REMOVED]


The Trojan then executes cpuminer on the compromised computer.

The Trojan blocks access to port 445 on the compromised computer.

The Trojan creates the following services:

WHDMIDE
 WELM


The Trojan saves the cpuminer output log to the following location:

%Temp%\[RANDOM CHARACTERS]._Miner_.log


The Trojan stops itself and the miner process if the following processes 
are running:

taskmgr.exe
 mmc.exe
 procexp.exe


The Trojan sends the following information to a remote location:

Global IP address
 Malware version
 operating system and architecture
 CPU frequency
 Number of processors
 Memory size


The Trojan also checks for the following processes:

avp.exe
 nod32krn.exe
 mcshield.exe
 ccsvchst.exe
 360sd.exe
 avguard.exe
 msseces.exe
 avastsvc.exe
 avgnsx.exe
 spidernt.exe
 kwatch.exe
 xcomsvr.exe
 fsdfwd.exe
 ravmon.exe
 sfctlcom.exe
 qhlpsvc.exe
 guardxservice.exe


The Trojan then sends the information to one of the following remote 
locations and may download updates:

[http://]panel.minecoins18.com/rep[REMOVED]
 [http://]08.super5566.com/rep[REMOVED]
 [http://]am.super1024.com/rep[REMOVED]

What to do now that you know about Adylkuzz?

  • You can start off by taking cyber security very seriously – you should keep up with the latest in malware and cyber attacks. Share anything you find which may help the next user down the line.
  • Keep Windows Updates ON – for some it may eat up bandwidth and even CPU resources but the time invested into downloading regular updates my save your files and money.
  • Keep your antivirus definitions up to date – like Windows Update, update your antivirus to ensure that you are protected from the latest threats out there.
  • Run full scans on your antiviruses
  • Give us a call and we will handle it all for you, we should have already updated or instructed you to update Windows – if you’re unsure get in touch with us ASAP.

IntelliTeK is one of the fastest growing IT service providers that you will find on any list of managed service providers in Australia. We are always up to date with the latest threats to emails and IT security which is why we only partner with the best in the industry. If your company isn’t fully equipped to fend off cyber criminals, then get in touch with us so we can discuss your options. Call us on 1300 768 779, email us at info@intellitek.com.au, fill out the web form, or have a Live Chat with us below.

Book A Consult

We can accommodate a solution for your needs, to discuss your options please contact us today.

Ph: 1300 768 779

Contact Us Here