Adylkuzz Cryptocurrency Miner Distribution Campaign

Number: AL17-007
Date: 18 May 2017

Purpose

The purpose of this alert is to bring attention to, as well as provide guidance and mitigation advice for a Cryptocurrency Miner Distribution Campaign.

Assessment

CCIRC is aware of a cryptocurrency miner campaign, called Adylkuzz, which is spreading in a similar way to the recent WannaCry Ransomware campaign. Open source reports indicate that this malware predates the WannaCry campaign and is being spread using the EternalBlue exploit and DoublePulsar backdoor to typically install the cryptocurrency miner Adylkuzz. Please note that the DoublePulsar backdoor could be used to install other malware and is not limited to the cryptocurrency miner.

Symptoms of compromise may include loss of access to shared Windows resources and possible degradation of PC and server performance. Open source reports also indicate that this activity may be larger in scale than WannaCry, affecting hundreds of thousands of PCs and servers worldwide. For this reason, CCIRC highly recommends applying the SMB patches to prevent further exploitation.

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

Most often, attacks of this type are detected by diligent and well-informed users. CCIRC recommends that organizations ensure users receive current situational awareness and training, including instructions on how to report unusual or suspicious emails to their IT Security Branch. Reviewing departmental policies, requirements and security education and awareness training can help reduce this threat.

References:

Date modified: