In February 2018, researchers from Proofpoint discovered a huge
Experts discovered that many machines recruited in the
“During August, the Smominru
Most of the infected systems are Windows 7 and Windows Server 2008, representing 85 percent of all infections, in China, Taiwan, Russia, Brazil and the US.
In just one month, the worm infected more than 4,900 networks, some of them had dozens of internal machines infected. The largest network belongs to a
Once compromised the system, a first-stage Powershell script named blueps.txt is downloaded onto the machine. This script performs the following actions:
Once gained access to the targeted systems, Smominru installs a Trojan module and a
The latest variant of Smominru downloads and runs at least 20 distinct malicious scripts and binary payloads, including a worm downloader and an MBR rootkit.
The storage infrastructure is widely distributed, experts found more than 20 servers, each of them serves a few files and each file references additional 2-3 servers.
Most of the
“The attackers create
Guardicore Labs experts managed to gain access to one of the attackers’ servers and analyzed its content to gather information on the nature of the victims.
“The attackers’ logs describe each infected host; they include its external and internal IP addresses, the operating system it runs and even the load on the system’s CPU(s). Furthermore, the attackers attempt to collect the running processes and steal credentials using Mimikatz,” the researchers say. continues the report.
Unlike previous variants, the new Smominru bot also removes infections from compromised systems and blocking TCP ports (SMB, RPC) to prevent infections by other threat actors.
Further data, including Indicators of Compromise, are reported in the analysis published by the experts
(SecurityAffairs – APT, hacking)