Fri. Jun 5th, 2020

Researchers Unveil New Insights Into Smominru Botnet

In August alone the Smominru botnet has indiscriminately hacked over 90,000 computers around the world.


Smominru is a cryptocurrency-mining and credential-stealing botnet that has been active since 2017. It primarily targets Windows computers using EternalBlue, a malware, created by NSA, that exploits vulnerabilities in certain versions of Microsoft’s Windows XP and Vista systems, allowing an external party to execute remote commands on their target.


According to researchers at Guardicore Labs, once Smominru infects a machine it will attempt to remove rival malware then install cryptomining software, steal login credentials, install backdoors, and spread laterally to other machines.


Even worse, Guardicore researchers noticed that some machines were being reinfected after Smominru was removed from them, suggesting that they remained exposed due to the lack of adequate patching.


In a report detailing the botnet, Guardicore Labs researchers said they managed to gain access to one of the attackers’ core servers.

“The attackers’ logs describe each infected host; they include its external and internal IP addresses, the operating system it runs and even the load on the system’s CPU(s). Furthermore, the attackers attempt to collect the running processes and steal credentials using Mimikatz,” the researchers say.


“Guardicore Labs has informed identifiable victims and provided them with the details of their infected machines.”


As mentioned before, in August, Smominru managed to infect 90,000 machines worldwide, at a pace of 4,700 systems per day, in countries including China, Taiwan, Russia, Brazil, and the United States.


Most of the compromised machines are running Windows 7 and Windows Server 2008 (85% of all infections).


Even more, a majority of the infected machines discovered were primarily small servers, with 1-4 CPU cores, leaving most of them unusable due to overutilization of their CPUs with the mining process.