Massive Smominru Botnet Is Turning Windows PCs Into Cryptocurrency Mining Zombies

With Monero being relatively easy to mine compared to other cryptocurrencies, legitimate users and a bunch of nefarious users are working hard to mine the valuable digital currency. The value of Monero means that some of those nefarious users are rolling out massive botnets to shackle PCs into working for them. 

Proofpoint says that it has been monitoring the Monero miner Smominru, which is using the EternalBlue Exploit. The company says that the way Smominru uses Windows Management Infrastructure is unusual among cryptocurrency mining malware. Proofpoint wrote, "The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as 'hash power'. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week."

monero value
Monero value over the last year

The security firm states that at least 25 hosts are conducting attacks via EternalBlue to infect new nodes and increase the size of the botnet right now. "The hosts all appear to sit behind the network autonomous system AS63199. Other researchers also reported attacks via SQL Server, and we believe the actors are also likely using EsteemAudit (CVE-2017-0176 RDP), like most other EternalBlue attackers. The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, who we notified of the abuse but did not receive a reply," writes Proofpoint.

As of now the massive botnet has over 526,000 infected Windows hosts; most of those hosts are believed to be servers. The hosts have a global dispersion, but most of them are in Russia, India, and Taiwan.

Distribution of Smominru nodes

"We contacted MineXMR to request that the current Monero address associated with Smominru be banned. The mining pool reacted several days after the beginning of the operation, after which we observed the botnet operators registering new domains and mining to a new address on the same pool. It appears that the group may have lost control over one-third of the botnet in the process," writes Proofpoint.

The reason for Monero being the cryptocurrency of choice for so many malware attacks is due to the more resource-intensive nature of Bitcoin, the most valuable cryptocurrency (which is known to be volatile and has seen its value crash this week). Monero can’t be mined effectively on single desktop computers, but a massively distributed botnet such as Smominru is effective at making significant money for its operators. This means a high likelihood that the botnet will continue to grow and others like it might pop up.