Focused on mining Monero crypto-currency, a new botnet has managed to ensnare over half a million machines to date, Proofpoint reports.
Dubbed Smominru, the botnet managed to infect over 526,000 Windows hosts to date, most of which are believed to be servers. After conducting a sinkholing operation, the security researchers discovered that the infected machines are distributed worldwide, with the highest numbers in Russia, India, and Taiwan.
The Monero miner, which is also known as Ismo, has been observed since the end of May 2017 spreading via EternalBlue, the National Security Agency-linked exploit that targets a vulnerability (CVE-2017-0144) in Windows’ Server Message Block (SMB) on port 445. The exploit was previously used in other global attacks, including WannaCry and NotPetya.
The miner itself has been detailed numerous times before, and was associated with various attacks, including those perpetrated by an established Chinese crime group (Hex Men).
What makes it stand out in the crowd is the use of Windows Management Infrastructure for infection, a method recently noticed in the WannaMine crypto-mining worm too (which also uses EternalBlue to spread).
The hash power associated with the Monero payment address for Smominru reveals that the botnet was likely twice the size of Adylkuzz, the first crypto-mining botnet to abuse EternalBlue. According to Proofpoint, Smominru’s operators already mined around 8,900 Monero (between $2.8 million and $3.6 million), at a rate of around 24 Monero per day.
In a recent report diving into the huge financial gains crypto-miner operators register, Talos revealed that an adversary controlling 1,000 systems would make around $90,000 per year. The security firm also says it “has observed botnets consisting of millions of infected systems,” which “could be leveraged to generate more than $100 million per year theoretically.”
While investigating Smominru, Proofpoint discovered that at least 25 of the hosts were attempting to infect new machines via EternalBlue (the hosts are placed behind the network autonomous system AS63199).
Last week, NetLab 360 security researchers published a post on what they call the MyKings botnet, which appears to be none other than Smominru, based on the used Monero address. NetLab revealed that the mining operation was performed by a sub-botnet, while another was focused on scanning and spreading, capable of mobilizing over 2400 host IP addresses.
According to Proofpoint, some of the distribution attacks are likely performed using MySQL, while others supposedly leverage the NSA-linked exploit EsteemAudit (CVE-2017-0176).
Both NetLab and Proofpoint findings fall in line with GuardiCore’s report on the Hex Men, a group using three malware families, namely Hex, Hanako and Taylor, each targeting different SQL servers with its own goals, scale and target services.
The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, Proofpoint’s security researchers have discovered. The company was informed on the issue.
MineXMR was also contacted regarding the Monero address associated with Smominru, and the mining pool banned the address. This prompted the botnet operators to register new domains and mining to a new address on the same pool. This switch apparently resulted in the operators losing control over one third of the bots.
“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations,” Proofpoint notes.
The use of standalone coin miners and coin mining modules in existing malware has proliferated rapidly over the past year, fueled by the surge in value crypto-coins such as Bitcoin and Monero have registered. With Bitcoin resource-intensive to mine outside of dedicated mining farms, Monero has registered massive interest from cybercriminals.
Smominru’s operators have likely registered significant profits from their operation and the resilience of the botnet and its infrastructure suggest that the activities will continue, the researchers say. The potential impacts on infected nodes will continue as well, and other botnets featuring similar purpose and methods might emerge as well, the researchers say.
“We repeatedly see threat actors ‘follow the money’ – over the last several months, the money has been in cryptocurrency and actors are turning their attention to a variety of illicit means to obtain both Bitcoins and alternatives,” Kevin Epstein, VP Threat Operations, Proofpoint, said in an emailed comment.
“This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe. Taking down the botnet is very difficult given its distributed nature and the persistence of its operators. For businesses, preventing infection through robust patching,” Epstein concluded.