2017 was the year of high-profile data breaches and ransomware attacks but since the beginning of this year. We have noticed a more rapid change in the cyber threat landscape, as cryptocurrency-related malware is becoming an option for popular and profitable cybercriminals. Several cybersecurity companies are reporting new cryptocurrency mining viruses spreading using EternalBlue. The same NSA exploit that was leaked by the Shadow Brokers hacking group and is responsible for the devastating WannaCry ransomware threat.
Proofpoint researchers discovered a massive global botnet called “Smominru,” also known as Ismo. That is using the SME EternalBlue exploit (CVE-2017-0144) to infect Windows computers to secretly mine the Monero cryptocurrency, worth millions of dollars. dollars, for his teacher.
Active since at least May 2017, the Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows, according to researchers.
“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was probably twice the size of Adylkuzz,” the researchers said.
Botnet operators have already mined approximately 8,900 Monero, valued at up to $3.6 million. At a rate of approximately 24 Monero per day ($8,500) by stealing the computing resources of millions of systems.
The highest number of Smominru infections have been observed in Russia, India, and Taiwan, the researchers said.
The highest number of Smominru infections have been observed in Russia, India, and Taiwan, the researchers said.
The Smominru botnet’s command and control infrastructure is hosted by the DDoS protection service SharkTech. Which was notified of the abuse, but the company allegedly ignored the abuse notifications.
According to Proofpoint researchers, cybercriminals are using at least 25 machines to scan the Internet to find vulnerabilities. Windows computers and also use the NSA’s well-explored RDP protocol scanner, EsteemAudit (CVE-2017-0176), to detect infection.
“As Bitcoin has become a prohibitive resource to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be effectively exploited on desktop computers, a distributed botnet like the one described here can prove quite lucrative for its operators,” the researchers concluded.
“The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes.”
Wanna Mine
Another security firm, CrowdStrike, recently published a blog post, reporting on another widely spread non-encryption malware, called WannaMine. Which uses the EternalBlue exploit to infect computers and mine the Monero cryptocurrency.
Since it does not download any applications to an infected computer. WannaMine infections are more difficult to detect by antivirus programs. CrowdStrike researchers noted that the malware has caused “some businesses to be unable to operate for days and weeks at a time.”
In addition to infecting systems, cybercriminals are also adopting CryptoJacking attacks, where JavaScript miners use the CPU power of website visitors to mine cryptocurrency for monetization.
Since the recently observed cryptocurrency mining malware attacks were discovered leveraging EternalBlue. Which had already been patched by Microsoft last year. Users are advised to keep their systems and software up-to-date to avoid falling victim to such threats.
