New Threats Emerge Using Same Exploit As WannaCry Ransomware

Monday May 22nd 2017 by Jeff Goldman
Share:

Cybercriminals are leveraging the EternalBlue vulnerabilities to launch a range of other attacks.

The EternalBlue vulnerabilities, which were stolen from the NSA and used in the recent WannaCry ransomware campaign, are being leveraged to distribute a wide range of other malware, including cryptocurrency miners and Remote Access Trojans.

On May 12, the date of the WannaCry ransomware attack, Cyphort Labs researchers uncovered a separate attack leveraging EternalBlue, which dates back at least to May 3.

"We initially thought this is WannaCry, but upon further investigation, we discovered a stealthier Remote Access Trojan," Cyphort's Paul Kimayong wrote in a blog post. "Unlike WannaCry, this threat infects only once and does not spread. It is not a worm."

According to Cyphort, while the malware may not appear as destructive as WannaCry, it has the potentially to be even more dangerous. "The main payload is a RAT, and we all know what can happen once a malicious hacker gets inside your enterprise," Kimayong wrote.

The researchers believe the group behind the RAT is the same one responsible for the Mirai botnet.

WannaCry may have been a gift in one sense, Kimayong suggested -- its high profile forced companies to become aware of the risks from the EternalBlue exploit, and to take action. "What will hurt you the most are those things that you did not see coming," he wrote.

Cryptocurrency Miner

Proofpoint researchers separately uncovered a large-scale attack that uses EternalBlue to install the Adylkuzz malware, a Monero cryptocurrency miner.

"Like other cryptocurrencies, Monero increases market capitalization through the process of mining," the researchers wrote. "This process is computationally intensive but rewards miners with funds in the mined currency, currently 7.58 Moneros or roughly $205 at current exchange rates."

"Initial statistics suggest that this attack may be larger in scale than WannaCry: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of [the] WannaCry infection," the researchers wrote.

According to Proofpoint, the Adylkuzz campaign dates back at least to May 2 and possibly to April 24. "This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive," the researchers wrote.

UIWIX Ransomware

China's National Computer Virus Emergency Response Center (CVERC) and software company AsiaInfo are separately warning of the UIWIX ransomware, which also exploits the EternalBlue vulnerabilities to infect systems and spread within networks, Xinhua reports.

Trend Micro researchers reported that UIWIX appears to be fileless. "Fileless infections don't entail writing actual files/components to the computer's disks, which greatly reduces its footprint and in turn makes detection trickier," the researchers wrote.

"UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox," the researchers added. "Based on UIWIX's code strings, it appears to have routines capable of gathering the infected system's browser login, File Transfer Protocol (FTP), email and messenger credentials."

To protect against WannaCry, UIWIX and other threats leveraging EternalBlue, Trend Micro advises users to take the following steps:

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved