The number of cyber attacks against the cryptocurrency sector continues, vxers are focusing their efforts on the development of cryptocurrency/miner malware.
Recently security experts observed cryptocurrency miners leveraging the NSA EternalBlue SMB exploit (CVE-2017-0144) as spreading mechanism.
On August 2017, a new fileless miner dubbed CoinMiner appeared in the wild, it uses NSA EternalBlue exploit and WMI tool to spread.
Now researchers Researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ (aka Ismo) that is using the EternalBlue exploit (CVE-2017-0144) to infect Windows computers and recruit them in Monero cryptocurrency mining activities.
” Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which had earned millions of dollars for its operators.” states the analysis published by Proofpoint
With the help of Abuse.CH and the ShadowServer Foundation, Proofpoint conducted a sinkholing operation that allowed to profile the botnet.
The command and control infrastructure of the Smominru botnet is hosted on DDoS protection service SharkTech, Proofpoint promptly notified the abuse to the service provider without receiving any response.
According to the researchers, the Smominru botnet has been active at least since May 2017 and has already infected more than 526,000 Windows computers.
“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the researchers said. “The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week (Figure 2).”
The researchers at Proofpoint discovered that crooks are using at least 25 hosts to scan the Internet for EternalBlue vulnerable Windows computers and also leveraging the NSA EsteemAudit (CVE-2017-0176) for compromising the target machines.
The machines all appear to sit behind the network autonomous system AS63199, further technical details and the IoCs are included in the analysis published by Proofpoint.
“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations.” concluded the Proofpoint.
“Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size.”