Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Smominru Botnet Infects Thousands of Hosts Daily

The Smominru botnet continues to spread at a fast pace, infecting around 4,700 new hosts daily during the month of August, Guardicore Labs reports.

The Smominru botnet continues to spread at a fast pace, infecting around 4,700 new hosts daily during the month of August, Guardicore Labs reports.

Active since 2017, the botnet was initially detailed in early 2018, when it had already infected over half a million machines, focusing on cryptocurrency mining. Upon infection, the malware also attempts to steal users’ credentials and to drop an additional Trojan module.

Also referred to as Hexmen and Mykings, Smominru has been targeting vulnerable Windows machines using an EternalBlue exploit, as well as employing brute-force attacks on services such as MS SQL, RDP, Telnet and more.

What Guardicore Labs’ security researchers noticed when analyzing the botnet’s activity was that some of the machines were being reinfected after Smominru was removed from them, suggesting that they remained exposed due to the lack of adequate patching.

Access to one of the attackers’ core servers provided Guardicore Labs with insight into the type of information they logged on each infected host, including external and internal IP addresses, operating system information, CPU load, and running processes. The logs also revealed attempts to steal credentials using Mimikatz.

In August, Smominru managed to infect 90,000 machines worldwide, at a pace of 4,700 systems per day, with China, Taiwan, Russia, Brazil and the United States hit the most. Among victims, the researchers found US-based higher-education institutions, medical firms, and cyber security companies.

Following the initial compromise, the botnet attempts to move laterally within the environment. Thus, it managed to affect over 4,900 networks in a month, with many of them having dozens of internal machines infected (a healthcare provider in Italy had a total of 65 infected hosts).

Advertisement. Scroll to continue reading.

Most of the impacted machines are running Windows 7 and Windows Server 2008 (85% of all infections), which is not surprising, given that there is an operational EternalBlue exploit available online that specifically targets these platform versions. Windows Server 2012, Windows XP and Windows Server 2003 were also hit.

While most of the affected machines were small servers, with 1-4 CPU cores, some were larger servers, and the researchers identified over 200 victim machines with more than 8 cores — even a 32-core server.

“According to our analysis, one fourth of the victims were reinfected by the worm. This suggests that victims attempted to cleanup their systems without fixing the root cause issue that left them vulnerable in the first place,” Guardicore says.

During infection, a first-stage PowerShell script downloads and executes three binary files (a worm downloader, a Trojan and an MBR rootkit); creates a new administrative user named admin$ on the system; and downloads additional scripts to perform malicious actions.

“The Smominru group tends to use a large collection of payloads throughout the attack. In its current iteration, Smominru downloads and runs almost twenty distinct scripts and binary payloads,” the researchers note.

The attackers’ infrastructure includes more than 20 servers, with every single one serving a few files, and each file referencing an additional 2-3 servers. Many of the files are hosted on multiple servers, increasing the infrastructure’s flexibility and resilience.

Most of the servers are dedicated, rather than repurposed victim servers. They are mainly located in the US, with some hosted by ISPs in Malaysia and Bulgaria. A large portion of the attacks originate from western ISPs, Guardicore also says.

Related: Crypto-Mining Botnet Ensnares 500,000 Windows Machines

Related: Crypto-Mining Botnet Implements BlueKeep Scanner

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...