Smominru cryptocurrency botnet affected half a million machines

Smominru botnet affected over 500.000 devices using EternalBlue exploit

More than half a million computers were turned into Monero mining machines since May 2017 when Smominru botnet^[1] started spreading cryptocurrency miner. Back them virtual gold diggers found a way how to use EternalBlue exploit kit to target unpatched Windows computers and use them to mine cryptocurrency.

Smominru miner, also known as Ismo, has been monitored by Proofpoint researchers^[2] since May 2017. According to the latest information, cryptocurrency miner has already infected more than 526.000 machines running on Windows OS. It seems that the majority of affected computer users did not bother to install patches that would have stopped the attack.

Cyber criminals already managed to mine 8.900 Monero, which is around $3.6 million. There’s no doubt that such activity is very profitable. Crooks earn about 24 Monero per day – about $8.500. Fortunately, their illegal activities were

Russia, India, and Taiwan – the most affected countries

According to the research, Smominru spreads worldwide. However, the majority of affected machines are in Russia, India, and Taiwan. Among less affected countries are Ukraine, Brazil, Japan and Asian region.

However, authors of Smominru does not seem to launch a targeted attack towards these countries. The dispersal of the attack is explained quite simply. The number of installed Windows OS patches in these regions were very low.

Researchers assume that affected Windows machines are actually servers because desktop computer power is not enough to mine Monero effectively. Hence, malware seems to be the threat to companies and organizations. Thus, IT departments are suggested to look up for cryptocurrency miner on the system and install Microsoft’s security patches.

Criminals use at least 25 machines to find vulnerable Windows machines

There’s no doubt that infecting half a million netizens requires proper preparation. According to the research data, criminals are using at least 25 machines. They are working as scanners that search for vulnerable Windows computers that are connected to the Internet.

As you already know, Smominru botnet uses NSA SMB exploit (CVE-2017-0144)^[3] which was leaked by hackers group called Shadow Brokers. The same exploit kit was used in worldwide WannaCry^[4] and NotPetya attacks in 2017.

However, this time criminals also use another leaked exploit – EsteemAudit (CVE-2017-0176)^[5] – which leverages RDP vulnerabilities in Windows Server 2003 and Windows XP systems.

What is interesting that Smominru’s command and control server is hosted on DDoS protection service SharkTech. Nevertheless, the company was informed about the issue; they neither replied nor taken down malicious activities.

Attempts to beat Smominru botnet was useless

There were some multiple attempts made to eliminate the notorious botnet. Researchers note that one-third of the machines operated by hackers were taken down and IP addresses banned. However, cybercriminals managed to recover with the ever-expanding network.

Experts explain that botnet managed to recover due to the EternalBlue exploit which allows getting back access to the network easily. Therefore, it seems the botnet is unbreakable and expected to continue expanding.