Cryptocurrency mining and identity theft botnet Smominru (also known as Ismo) began to spread incredibly quickly.According to researchers from the Guardicore Labs team, the botnet infects more than 90 thousand computers every month around the world.
“The attack compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet and more. In its post-infection phase, it steals victim credentials, installs a Trojan module and a cryptominer and propagates inside the network”, — say Guardicore Labs researchers.
In August of this year alone, more than 4.9 thousand networks were infected with malware. The campaign affected US-based universities, medical firms, and even cybersecurity companies, as well as systems in China, Taiwan, Russia, and Brazil.
Most infected machines run Windows 7 and Windows Server 2008 and are small servers with 1-4 CPU cores, as a result of which many of them turned out to be unusable due to excessive CPU load during mining.
Since 2017, the Smominru botnet has been compromising Windows-based systems using the EternalBlue exploit, created by the US National Security Agency, but later made public by the cybercrime group Shadow Brokers. The worm was designed to gain access to vulnerable systems using the brute force of various Windows services, including MS-SQL, RDP and Telnet.
Read also: Emotet botnet is back and attacks users
Once on the system, Smominru installs the Trojan malware and the cryptocurrency miner, spreads within the network, and uses the capabilities of the victims’ computer CPUs to mine Monero and send it to the attackers’ wallet.
Attackers create many backdoors on the computer at different stages of the attack. These include newly created users, scheduled tasks, WMI objects, and services configured to start at boot time. Researchers managed to gain access to one of the main cybercriminals’ servers, which stores information about the victims and their stolen credentials.
“Attack logs describe each infected system, including information on external and internal IP addresses, operating system, and CPU load. Moreover, attackers try to collect information about running processes and steal credentials using the Mimikatz tool”, — experts say.
Unlike previous versions of Smominru, the new version also removes traces of infection from other cybercriminal groups from compromised systems, and also blocks TCP ports (SMB, RPC), preventing the penetration of competitors.