Dubbed “Smominru”, the botnet is believed to have been active since the end of May 2017 and infected more than 526,000 computers running the Microsoft Windows operating system using the EternalBlue server message block (SMB) exploit, which was allegedly developed by the US National Security Agency (NSA) and leaked by the Shadow Brokers hacking group in April 2017.
Like Ethereum, Bitcoin alternative Monero continues its upward trend in value, putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions, according to researchers at cyber security firm Proofpoint.
“Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cyber criminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free,” the researchers said in a blog post.
The botnet uses cryptocurrency mining software known as Smominru or Ismo, which is unusual among crypto mining malware in its use of Windows Management Infrastructure and its speed in unlocking new units of cryptocurrency.
The botnet appears to be capable of mining 24 Monero ($8,500) a day and is believed to have generated cryptocurrency worth up to $3.6m for its operators.
At least 25 hosts are conducting attacks through EternalBlue to infect new nodes and increase the size of the botnet, the researchers said, noting that other researchers have reported attacks through MySQL. The Proofpoint researchers believe the botnet operators are also likely using EsteemAudit (CVE-2017-0176), like most other EternalBlue attackers.
Smominru’s command and control infrastructure is hosted behind distributed denial of service (DDoS) protection company SharkTech, which has been notified by the researchers. They have also contacted Monero mining pool MineXMR to ban the Monero address linked to the Smominru botnet.
“The mining pool reacted several days after the beginning of the operation, after which we observed the botnet operators registering new domains and mining to a new address on the same pool. It appears that the group may have lost control over one-third of the botnet in the process,” the researchers said.
Cryptocurrencies have been used by cyber criminals for years in underground markets, but in the past year, the researchers said they have observed standalone coin miners and coin mining modules in existing malware proliferate rapidly.