Proofpoint says that it has been monitoring the Monero miner Smominru, which is using the EternalBlue Exploit. The company says that the way Smominru uses Windows Management Infrastructure is unusual among cryptocurrency mining malware. Proofpoint wrote, "The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as 'hash power'. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week."
The security firm states that at least 25 hosts are conducting attacks via EternalBlue to infect new nodes and increase the size of the botnet right now. "The hosts all appear to sit behind the network autonomous system AS63199. Other researchers also reported attacks via SQL Server, and we believe the actors are also likely using EsteemAudit (CVE-2017-0176 RDP), like most other EternalBlue attackers. The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, who we notified of the abuse but did not receive a reply," writes Proofpoint.
"We contacted MineXMR to request that the current Monero address associated with Smominru be banned. The mining pool reacted several days after the beginning of the operation, after which we observed the botnet operators registering new domains and mining to a new address on the same pool. It appears that the group may have lost control over one-third of the botnet in the process," writes Proofpoint.
The reason for Monero being the cryptocurrency of choice for so many malware attacks is due to the more resource-intensive nature of Bitcoin, the most valuable cryptocurrency (which is known to be volatile and has seen its value crash this week).