Cybersecurity firm Proofpoint has been tracking the Smominru botnet, which has been earning millions of dollars for its operators by illegally mining the cryptocurrency Monero, which is using the EternalBlue exploit (CVE-2017-0144 SMB). Monero can’t be effectively mined on single desktops, but a widely distributed botnet like Smominru can make significant money for its enablers.
Proofpoint says that the way in which Smominru uses Windows Management Infrastructure is unique among malware designed for cryptocurrency mining. The pace at which mining operations carry out mathematical operations to unlock new units of cryptocurrency is known as ‘hash power’. Proofpoint wrote, “Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.”
Proofpoint discerned that up to 25 hosts were carrying out attacks via EternalBlue to enlarge the size of the botnet by infecting new nodes. All the hosts appear to sit behind the network autonomous system AS63199. The company said that similarly to most EternalBlue threat actors, they think the attackers are probably using EsteemAudit (CVE-2017-0176 RDP). They identified over 526,000 infected Windows hosts, most of which they think are servers. The nodes are distributed around the world with the largest numbers in Russia, India and Taiwan.
SharkTech host the botnet’s C&C infrastructure. When Proofpoint reached out to tell them about the abuse, SharkTech did not reply. Proofpoint also contacted MineXMR to ask that they ban the Monero address associated with Smominru; they did so, after which time, the botnet operators merely registered new domains and mining to a different address on the same pool. However, it seems the hacking group likely lost control of over one third of the botnet in doing so, as its hash rate dropped to two-thirds following the move.
Most of the nodes in the botnet seem to be Windows servers, so the performance impact on business infrastructure may be significant, including higher costs of energy because of the servers running closer to capacity. The operators of Smominru are persistent, finding new ways to recover after sinkhole operations and using all available exploits to expand the botnet’s size. Proofpoint said, “Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes.” They added that they expect botnets like this to become more common and to keep growing in size.
Interest has grown in malware dedicated to mining Monero recently, particularly as Bitcoin has become too resource-intensive to mine outside of dedicated mining farms.