Over 500,000 Windows Machines Infected with Monero Mining Software

Written by

More than 526,000 Windows hosts – mostly Windows servers – have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint.

In a blog on its website Proofpoint, having been monitoring the miner since the end of May 2017, explained that it spreads using the EternalBlue exploit (CVE-2017-0144), and whilst Smominru has been well-documented, its use of Windows Management Infrastructure is unusual for coin mining malware.

“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the blog reads. “The operators had already mined approximately 8900 Monero (valued this week between $2.8m and $3.6m). Each day, the botnet mined roughly 24 Monero, worth an average of $8500 this week.”

At least 25 hosts were conducting attacks via EternalBlue (CVE-2017-0144 SMB) to infect new nodes and increase the size of the botnet, Proofpint added, with the hosts appearing to sit behind the network autonomous system AS63199.

“Other researchers also reported attacks via SQL Server, and we believe the actors are also likely using EsteemAudit (CVE-2017-0176 RDP), like most other EternalBlue attackers. The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, who we notified of the abuse but did not receive a reply.”

Proofpoint warned that the operators of this botnet are persistent, use all available exploits to expand their botnet and have found multiple ways to recover after sinkhole operations.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity.”

“Crypto-mining malware is becoming attacker's popular mode of operation, regardless of their targets,” said Nadav Avital, security researcher at Imperva. “Our analysis also shows that attackers favor anonymous cryptocurrencies, with Monero being the most prominent. Cryptocurrencies are popular as they are both secure, private and difficult to trace. Since many servers are not updated or patched on a regular basis, attackers have a bigger chance of success.”

What’s hot on Infosecurity Magazine?