Cryptojacking: Smominru botnet infected already half a million servers, Windows

Again?! So. Cyber criminals are changing tastes. Once again fancy the cryptojacking, i.e. the attack technique that uses a Web browser and JavaScript code for digging refreshed Monero. Malicious software has infected more than 500 000 servers and Windows computers, which now are part of a botnet Smominru, earning millions of dollars for their operators.

Monero and Ethereum is currently the most popular refreshed used in attacks on Internet users.

Monero kryptowaluta kurs

Whether it's a Bitcoin, Litecoin, Ethereum whether Monero, coal mining requires a high effort in "mining". Cyber criminals are looking for ways how to do it for free. And often it comes out, because the easiest way is to use computers to innocent users.

Kurs kryptowalut

Refreshed were and are being used for illegal activities for many years. Yet once were an excellent means of payment on underground forums in the Tor network. Later have been made popular enough that their digging we found very interesting for ordinary citizens. Unlike the Bitcoin math Monero does not need specialized farm mining equipped with high-end graphics processors. A distributed botnet network can be a lucrative business for their operators.

Botnet Smominru has infected half a million PCs and servers

Employees of the company Proofpoint from end of may 2017 followed botnet Smominru. Its total processing power earned for botnet operators millions of dollars. At the height of under the control of criminals was about 526 000 computers and servers, with which each day was 24 Monero. A total of 8900 dug coins on a major amount of almost 3 000 000 dollars.

Botnet Smominru

Most victims of malware spreading on port 445 for SMB located in Russia — almost 130 000 users. The second country to the number of infected IP addresses were India. In third place Taiwan. Botnet arrived also to Europe, including the Polish. Here, unfortunately we do not have accurate statistics, however, the following map allows you to figure out that the tentacles of a botnet can be traced back to our country.

Botnet Smominru mapa

The researchers, who were on the trail of the botnet, they contacted the owners of the stock market. Asked about blocking wallet address Monero, which influence the extracted "micro-" refreshed. After a few days with Proofpoint report positively, but it didn't stop the criminals. You registered a new domain by placing on them the JavaScript code and changed the address of the refreshed portfolio, which run off dug up.

Although today the botnet is not the end of taken off, it-as experts — operators lost control of the third part of the infected computers. Not much is with what you enjoy, because it still about 170 000 machines. The impact of increased consumption of CPU cycles on the potentially critical business infrastructure can be very high, as well as the cost of increased power consumption by servers.

Botnet Smominru how to protect?

Malware spreads via exploit EthernalBlue developed by the Agency of the NSA. It's the same as ransomware WannaCry and worm WannaMine, about which we reported two days ago. As for now, the infected computer is used for digging Monero, but chances are that operators on one of the malicious domains will replace the script "mining" other malware.

Both WannaMine and used malware in botnecie Smomintru, have several things in common. The first of them is a way of spreading by vulnerability CVE-2017-0144 in SMB, which was patched by Microsoft, but unfortunately not in any system deployed. The other common denominator is the WMI system, to which the malware access — then starts in on scripts and communicates with the server C & c. Botnets such as Smominru will become more and more common. It has been proven that they can produce very high profits at low cost.

To protect against infection from the exploit EthernalBlue, disable SMB or take care of the security, including installing security updates and protect your endpoints. In the case of companies particularly useful is the implementation of a comprehensive security product, such as UTM/NGFW, which at the level of the gateway protects workstations and servers before the automatic attacks, such as this one.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.