The Smominru botnet continues to spread at a fast pace, infecting around 4,700 new hosts daily during the month of August, Guardicore Labs reports.
Active since 2017, the botnet was initially detailed in early 2018, when it had already infected over half a million machines, focusing on cryptocurrency mining. Upon infection, the malware also attempts to steal users’ credentials and to drop an additional Trojan module.
Also referred to as Hexmen and Mykings, Smominru has been targeting vulnerable Windows machines using an EternalBlue exploit, as well as employing brute-force attacks on services such as MS SQL, RDP, Telnet and more.
What Guardicore Labs’ security researchers noticed when analyzing the botnet’s activity was that some of the machines were being reinfected after Smominru was removed from them, suggesting that they remained exposed due to the lack of adequate patching.
Access to one of the attackers’ core servers provided Guardicore Labs with insight into the type of information they logged on each infected host, including external and internal IP addresses, operating system information, CPU load, and running processes. The logs also revealed attempts to steal credentials using Mimikatz.
In August, Smominru managed to infect 90,000 machines worldwide, at a pace of 4,700 systems per day, with China, Taiwan, Russia, Brazil and the United States hit the most. Among victims, the researchers found US-based higher-education institutions, medical firms, and cyber security companies.
Following the initial compromise, the botnet attempts to move laterally within the environment. Thus, it managed to affect over 4,900 networks in a month, with many of them having dozens of internal machines infected (a healthcare provider in Italy had a total of 65 infected hosts).
Most of the impacted machines are running Windows 7 and Windows Server 2008 (85% of all infections), which is not surprising, given that there is an operational EternalBlue exploit available online that specifically targets these platform versions. Windows Server 2012, Windows XP and Windows Server 2003 were also hit.
While most of the affected machines were small servers, with 1-4 CPU cores, some were larger servers, and the researchers identified over 200 victim machines with more than 8 cores — even a 32-core server.
“According to our analysis, one fourth of the victims were reinfected by the worm. This suggests that victims attempted to cleanup their systems without fixing the root cause issue that left them vulnerable in the first place,” Guardicore says.
During infection, a first-stage PowerShell script downloads and executes three binary files (a worm downloader, a Trojan and an MBR rootkit); creates a new administrative user named admin$ on the system; and downloads additional scripts to perform malicious actions.
“The Smominru group tends to use a large collection of payloads throughout the attack. In its current iteration, Smominru downloads and runs almost twenty distinct scripts and binary payloads,” the researchers note.
The attackers’ infrastructure includes more than 20 servers, with every single one serving a few files, and each file referencing an additional 2-3 servers. Many of the files are hosted on multiple servers, increasing the infrastructure’s flexibility and resilience.
Most of the servers are dedicated, rather than repurposed victim servers. They are mainly located in the US, with some hosted by ISPs in Malaysia and Bulgaria. A large portion of the attacks originate from western ISPs, Guardicore also says.
Related: Crypto-Mining Botnet Ensnares 500,000 Windows Machines
