Adylkuzz is a piece of malicious software that doesn’t encrypt your files or demand you pay a ransom. It doesn’t steal your emails or erase your data. It sits hidden in your computer, a background process that would look legitimate to the naked eye, if a naked eye even bothered to look at it. The only thing it wants to take from you is your computer’s processing power, and use it to generate pieces of Monero, a bitcoin-like cryptocurrency.
This malware, which has been in the wild since the beginning of May, uses two of the same tools that made the May 12 WannaCry ransomware attack so successful. Those tools, known as EternalBlue and DoublePulsar, were allegedly created by the National Security Agency, and leaked online in April by a group calling itself the Shadow Brokers. Together, the tools allow hackers to install backdoors on certain Windows computers and run programs in the background—any programs they want—without raising any alarms that would alert users their computers are infected.
Once it infects a computer, Adylkuzz shuts down the networking service that makes Windows computers vulnerable to it, according to an analysis by the security firm Proofpoint. Like a parasite protecting its host, that action blocks further malware from getting into the computer using the same NSA exploits. That allows Adylkuzz to have the computer all to itself. In fact, since it was active for up to two weeks before WannaCry hit, its existence may have limited the ransomware’s rapid spread, according to the analysis.
With its free reign on a computer established, Adylkuzz begins mining for Monero, the digital currency. The value of Monero fluctuates wildly, but at the moment it’s worth $38.57, and its current market capitalization is $560,347,581. For any cryptocurrency, the process of mining involves running a program that contributes to the currency’s transactional infrastructure by solving complex math problems, and receiving rewards in the form of fees. One computer running a mining program may not scrape up a lot of digital coins, but many computers can.
At the time of its analysis, Proofpoint found Adylkuzz had made at least $43,000 from its Monero mining operation. But that was just the money sent to Monero wallets the researchers were aware of—they expect there are many more.
The computers vulnerable to attacks that use the EternalBlue and DoublePulsar exploits include most versions of Windows since Vista, if they haven’t been recently updated. The best way to guard against these attacks, if you’re using a Windows computer, is to make sure it’s up to date. And for computers already infected with Adylkuzz, most anti-virus software should be able to catch it at this point.