In this PoC, we will use Cortex XDR to monitor how the malware known as Adylkuzz, a cryptocurrency miner, behaves when it is allowed to run freely on an endpoint. During the PoC we will try to understand how Adylkuzz spreads, maintains persistence and evades detection, and how Cortex XDR can help us detect these kinds of malwares using both traditional and security approaches, as well as behavioral analytics.
Cryptomining is the process of using specialized software to verify transactions on a blockchain and adding them to the public ledger. In order to perform this function, a miner must solve complex mathematical equations, which requires a significant amount of computational power. When a miner successfully solves an equation, they are rewarded with a certain number of cryptocurrency units. This process is known as mining, and the person performing the mining is known as a miner.
Cryptomining can also refer to the illegal use of someone else's computer resources to mine cryptocurrency without their knowledge or consent. This type of cryptomining is known as malware-based or illicit mining, and it's a significant security concern because it can cause system slowdowns and crashes and can also consume a large amount of energy which can cause hardware damage if the hardware is not designed to withstand heavy load.
Cryptojacking is a type of cyber attack in which attackers infect a victim's computer with malware that uses the victim's resources to mine cryptocurrency without their knowledge or consent. The malware runs in the background and uses the victim's CPU and GPU power to mine coins and send them to the attacker's wallet. This type of attack is often difficult to detect because the malware runs in the background and does not typically cause any visible disruption to the victim's computer. The victim may only notice a slow down in their computer performance or an increase in their electricity bill as a result of the increased power usage.
Unlike cryptomining, in Cryptojacking, the attacker does not typically gain any direct financial benefit from mining the cryptocurrency, instead, the attacker uses the victim's resources to gain the cryptocurrency and keep them for their own use
Adylkuzz is a type of malware that is used to perform cryptomining on a victim's computer. It was first discovered in May 2017 and is similar in functionality to the WannaCry ransomware that was discovered around the same time. Adylkuzz uses the same exploit (EternalBlue) as WannaCry to propagate itself across a network and infect computers. However, instead of encrypting the victim's files and demanding a ransom, Adylkuzz uses the infected computers to mine Monero cryptocurrency and sends the mined coins to the attacker's wallet.
Adylkuzz is particularly notable because it is a fileless malware and it uses the built-in Windows command-line utilities (WMIC and PsExec) to propagate itself across a network. This allows it to evade detection by traditional anti-virus software. Additionally, once a computer is infected with Adylkuzz, it will actively kill any rival cryptomining malware that is running on the computer to ensure that it can use all of the computer's resources for itself.
Adylkuzz also has worm-like characteristics, it is able to propagate itself to other computers on the same network by exploiting the same vulnerability as WannaCry. This ability to spread itself quickly makes Adylkuzz particularly dangerous, as it can infect a large number of computers in a short period of time.
For this PoC, we used a hosted windows virtual machine running Windows 10 Enterprise.
We start off by creating a policy in report mode in order to allow the executable malware to run “freely” on the machine without XDR blocking it, while we monitor the activities.
This process involved creating:
Now we have enabled the machine to monitor the entire flow of malware execution, without having XDR prevent the malicious file from running.
As mentioned above, Adylkuzz, like many other forms of malware, utilizes social engineering tactics to trick users into installing it. This can be done in a number of ways, such as disguising the malware as a legitimate program or update, or by using phishing emails to lure users into clicking on a link that will install the malware on their computer.
In our instance, we had the file ‘c.exe’ downloaded and ready to execute on the machine.
Once we have executed the “c.exe” file a new process is launched named ‘wuauser.exe’. Upon investigating the alert generated in Cortex XDR we can also note the c.exe file has disappeared and instead placed a new executable in the Fonts folder - a clear attempt at obfuscating the purpose of the file (there are not .exe files in the Fonts folder by default).
Analyzing the alert generated by wuauser.exe we can also see through the Cortex XDR causality view that the file is unsigned, which should raise further suspicion.
Looking at the registry changes made by the malicious file, we can tell the new service called WELM is masquerading as a Windows Event Log Management, a tool described by the malware as one meant to “prove event log to access management information”.
When in fact, the true purpose of the service is to establish a foothold in the infected endpoint, and make sure the miner will continue to run, even after reboot. The new process is set to run automatically every time the computer resets itself. To make sure it remains persistent, when the service fails it will also try to run again every 1 minute.
Cortex XDR analytics generated an Analytics BIOC alert that revealed that the process called c.exe.exe, which has a lower integrity level than SYSTEM, created a service called WELM. This means that a process with lower privileges was able to create a service with high privileges, often an indicator of malicious activity.
Looking at the Network Connections tab in the causality chain, we can see that the malware initiated connection with two different URLs:
08.super5566.com - Adylkuzz has been reported to connect to this URL and related C&C server for multiple purposes:
Checking the domain’s reputation in VirusTotal also results in it being flagged as malicious by 7/90 vendors.
icanhazip.com - a popular site that returns your external IP address.
While initially this can seem like a harmless attempt, upon further investigation it appears that at one point in the site’s life, malware authors kept writing malware that would call out to icanhazip.com to find out what they had infected. If they could find out the external IP address of the systems they had compromised, they could quickly assess the value of the target. It is likely that adylkuzz utilized incanhazip.com in the same fashion.
Cortex XDR has not only identified the connection to the URL, but also raised an XDR Analytics BIOC alert notifying that a non-browser process accesses a website UI through a GET request, an uncommon method to download data from websites, likely with the purpose of sending that data back to the creator of the malware.
This article explored the potential risks of cryptomining and cryptojacking, particularly focusing on the Adylkuzz malware and how the Cortex XDR platform can help detect and prevent such attacks. During the proof of concept, Cortex XDR was able to identify the malware's behavior, including how it maintains persistence, evades detection, and reports back to its creator by analyzing its network connections, registry changes, and other activities.
Want to learn more about cryptojacking attacks & responses? Read the blog Playbook of the Week: Cloud Cryptojacking Response.
Adylkuzz-Cryptocurrency Mining Malware
Cybersecurity Insiders: All About Adylkuzz Malware Cyber Attacks
icanhazip: How a simple IP address tool survived a deluge of users
https://app.any.run/tasks/6f07fb16-d4fe-4ac3-b077-8928cdc39ea0/
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 2 Likes | |
| 1 Like | |
| 1 Like | |
| 1 Like | |
| 1 Like |
