Adylkuzz: Cryptocurrency Mining Malware Uses Leaked NSA Exploits

  • 2 September 2017
  • Cas Proffitt

Cryptocurrency trading and mining have become an increasingly popular way to earn money. The latest chapter in mining operations is referred to as Adylkuzz. Adylkuzz mines the cryptocurrency Monero which was worth around $30 dollars at the time this article was written.

How does Adylkuzz infiltrate machines?

Adylkuzz infiltrates machines through the use of leaked NSA exploits called EternalBlue and DoublePulsar. Adylkuzz malware targets vulnerable servers, personal computers, and other machines which are open to the exploits. WannaCry malware uses the same exploits to enter machines.

What were the signs of an Adylkuzz infection?

Image result for monero cryptocurrency

Adylkuzz performed brilliantly in staying hidden. Machines affected by Adlykuzz seemed to run a little more slowly. The mining program operated as a Windows service, allowing it to operate in plain sight. While the resource drain was the only known sign, Adylkuzz generated is believed to have generated tens-to-hundreds of thousands per day in Monero through cryptocurrency mining.

How does Adylkuzz mine for cryptocurrency?

Adylkuzz first infiltrates vulnerable machines using EternalBlue and then downloads an installer and cleanup package to afflicted machines using DoublePulsar, a backdoor exploit that was used by the NSA. The installer program downloads Adylkuzz cryptocurrency mining software and starts running it as a background Windows process to conceal its identity.

Image result for microsoft logo

The only way to fix these vulnerabilities was for users to disable server message block 1.0 (SMBv1) communications, block communication on port 445 through their firewalls, or for the operating system producer or enterprise updates to release a patch for the Microsoft SMB vulnerability known as CC-1353. Microsoft addressed CC-1353 in their MS17-010 bulletin.

What did service and hardware providers do about it?

Microsoft released software patches to remedy the vulnerability that these malicious programs were using. While it is nearly unheard of for providers to do, Microsoft also pushed out an update for their end-of-life operating system Windows XP along with a warning that governments hoarding and losing zero-day vulnerabilities are equivalent in many ways to them hoarding and losing Tomahawk Cruise Missiles.

What were the positive impacts of Adlykuzz?

Adylkuzz infiltrated machines and disabled their SMB network operation to eliminate the potential for other, similar exploits to breach the machine they occupy.to take the machine over or expose its activities. Adylkuzz is suspected to have been in circulation for several weeks before being identified by Sophos Labs and


Adylkuzz seems to have been a blessing in disguise with the recent spread of WannaCry because it shut down the vulnerability that WannaCry exploited to gain access to systems. While Adylkuzz was less destructive to its slave machines, it is estimated that afflicted machines garnered as much as 1-million dollars in cryptocurrency for their masters.


As with any other vulnerabilities, it is imperative to keep up with system patching and practice safe browsing to ensure the lowest possible chances of being infected with malicious software. The number of ransomware attacks has grown in recent times due to ease of social exploitation for a quick payoff.

Adylkuzz, however, seems to have garnered significantly more money for its owner than WannaCry by a significant margin.

About Cas Proffitt

Cas is a B2B Content Marketer and Brand Consultant who specializes in disruptive technology. She covers topics like artificial intelligence, augmented and virtual reality, blockchain, and big data, to name a few. Cas is also co-owner of an esports organization and spends much of her time teaching gamers how to make a living doing what they love while bringing positivity to the gaming community.