Smominru Botnet Infected Over 500,000 Windows Machines [source: bleepingcomputer]
by CIRT Team
Over 526,000 Windows computers —mainly Windows servers— have been infected with Monero mining software by a group that operates the biggest such botnet known to date.
This group’s operations have been known to security researchers since last year, and various companies have published reports on its activity. Because the botnet is so massive and widespread, most previous reports covered only a fraction of the group’s entire operation.
Other companies that published reports on fractions of the botnet’s infrastructure and operations include GuardiCore, Trend Micro, Kaspersky, Panda Security, and Crowdstrike, but also some independent Chinese researchers [1, 2].
Smominru made around $2.3 million
Putting all these together, we have a big picture of the largest mining botnet seen to date. The botnet has infected over 520,000 machines and has made a massive 8,900 Monero ($2,3 million) for its operators.
Smominru operators are using different techniques to infect machines. They mainly rely on the use of the EternalBlue (CVE-2017-0144) exploit, but they’ve also deployed EsteemAudit (CVE-2017-0176), both aimed at taking over machines running unpatched Windows OSes.
As GuardiCore pointed out, the botnet has also targeted MySQL servers on Linux machines, but also MSSQL databases on Windows Servers.
Both GuardiCore and NetLab observed the group deploying an assortment of malware strains on infected hosts, from Mirai DDoS bots to backdoors, albeit their primary operation was always Monero mining.
For more, click here.