Massive Smominru Cryptocurrency Mining Botnet Dissected and used in place of Ransomware

Recently, security experts from Cisco's Talos team wrote about the trends in the cybercriminal world. They noted that more and more adversaries are moving away from ransomware and are now switching to malicious cryptocurrency miners. There are a few very good reasons for this.

First of all, ransomware has been such a prolific threat over the past few years that security companies have poured copious amounts of time and effort in an attempt to fight it. AV products are now much better at detecting even new ransomware samples, and users are much more educated as well. Some of the victims have backups in place which means that they don't really need to cooperate with the crooks. Others have no other choice than to pay the ransom and get their files back, but that process in itself could be time-consuming and challenging for the less tech-savvy. And there are, of course, people willing to pay the ransom who simply can't afford it.

With cryptocurrency miners, things are a little bit different. They don't mess with the files on the infected machine and operate silently. The user might not even notice the miner. At the same time, cryptocurrencies' value has literally exploded over the last year or so, and while some of them, like Bitcoin, are impossible to mine without specialized hardware, others, like Monero, can be generated by regular servers and home PCs. If you control lots of servers and PCs, you make lots of money.

The operators of a Monero-mining botnet called Smominru control lots of Windows machines. Just a couple of months ago, Kaffeine, a security expert working for Proofpoint wrote what he and his team have learned after monitoring the botnet for the last nine months.

They started tracking it back in May 2017, around the time of the WannaCry ransomware attack. We're mentioning WannaCry, because, like last year's biggest ransomware outbreak, the Smominru botnet was made possible by something called EternalBlue. EternalBlue is an exploit that is thought to have been developed by the NSA. A group of hackers calling themselves the Shadow Brokers leaked it last year, and although Microsoft issued a patch promptly, many Windows machines remained vulnerable to it.

When we say "many," we mean it. We all know how big WannaCry was. Shortly after the ransomware was contained, Proofpoint found another Monero-mining botnet spread through EternalBlue. It was called Adylkuzz, and they said that it had affected more endpoints than WannaCry. Now, they are saying that Smominru could be twice as big as Adylkuzz.

To find out exactly how big it is, Proofpoint teamed up with Abuse.ch and ShadowServer who helped them conduct a sinkhole operation. In total, they detected more than 526 thousand Windows hosts, most of which are believed to be servers. Looking at the stats, they realized that the crooks had made about 8,900 Monero (that's around $2.4 million at the time of writing), and the bots they controlled were generating around 24 Monero (around $6 thousand at the current rate) on a daily basis.

The researchers got in touch with the MineXMR mining pool and the address associated with Smominru was closed. This, coupled with the sinkhole operation, hit the botnet hard, but the crooks adapted and were soon back with around two-thirds the hash power exhibited during its stronger months.

The experts didn't say how strong Smominru is at the moment, but its operators are unlikely to stop doing what they're doing as long as the Monero's price is high. And at $245 for 1 Monero, it's not exactly low, especially when the coins are generated by other people's hardware. The good news for sysadmins running Windows servers and regular users is that patches for EternalBlue have been available for months now. If you haven't applied them yet, you should start doing that right now.