Smominru , turning you PC to a cryptocurrency mining rig

Why go to all the bother of writing ransomware that demands victims pay a Bitcoin ransom? If all you want is cryptocurrency, why not use the infected computers to mine the crypto coins themselves?

That way you don’t have to rely on a human victim buying some Bitcoin, and nervously making their way onto the dark web to make their ransom payment.

According to security researchers at Proofpoint, that’s exactly the reasoning shown by online criminals who are moving from regular ransomware to cryptomining.

A giant mining botnet known as the Smominru miner has infected 526,000 Windows servers to mine digital currency Monero. The botnet has mined over 8,900 Monero coins. The value of the coins lies between $2.8 and $3.6 million USD

The botnet operation used a program designed to exploit Windows servers called Eternal Blue. Eternal Blue was initially developed by the US National Security Agency (NSA). 

However, the Shadow Brokers hacker group leaked Eternal Blue in 2017. 

The Smominru miner began operating in May 2017, the same time as the WannaCry ransomware attack that hit computers across Russia, Taiwan, Ukraine, and Britain.  

The bot-infected Windows servers in Russia, India, and Taiwan. While it is highly unlikely for attackers to target these countries, the countries represent areas where the defence mechanisms against Windows exploits like the Eternal Blue are relatively weaker.

Although cryptojacking is fairly common, the Smominru miner took over 526,000 nodes at its peak, a fairly large number of nodes for size.

Smominru creators used several methods to infect computers, also managed to hijack so many computers into secretly mining cryptocurrency? Through use of the notorious EternalBlue exploit (CVE-2017-0144) and EsteemAudit (CVE-2017-0176) exploit to take over computers running unpatched Windows operating systems stolen from the National Security Agency (NSA) by the ShadowBrokers hacking group, and then most famously put to work by the hard-hitting WannaCry ransomware. 

WINDOWS SERVERS: THE BOTNET’S PRIMARY VICTIMS

According to a report by cybersecurity firm Proofpoint, the Smominru miner targeted Windows management infrastructure. In the past, botnets infected desktop PCs. Smominru represents a rare case where the botnet targeted servers instead.

Although servers are an unusual target, they are highly appealing for digital currency miners. Servers have higher processing power and are rarely if ever, turned off. Monero can, therefore, be mined extensively for longer periods of time.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers, running much closer to capacity,”

A giant mining botnet known as the Smominru miner has infected 526,000 Windows servers to mine digital currency Monero. According to ZDNet, the online news site for IT professionals, the botnet has mined over 8,900 Monero coins. The value of the coins lies between $2.8 and $3.6 million USD ($3.48 and $4.47 million CAD) today.

The botnet operation used a program designed to exploit Windows servers called Eternal Blue. Eternal Blue was initially developed by the US National Security Agency (NSA). However, the Shadow Brokers hacker group leaked Eternal Blue in 2017. The Smominru miner began operating in May 2017, the same time as the WannaCry ransomware attack that hit computers across Russia, Taiwan, Ukraine, and Britain.

The bot-infected Windows servers in Russia, India, and Taiwan. While it is highly unlikely for attackers to target these countries, the countries represent areas where the defence mechanisms against Windows exploits like the Eternal Blue are relatively weaker.

Although cryptojacking is fairly common, the Smominru miner took over 526,000 nodes at its peak, a fairly large number of nodes for size.

WINDOWS SERVERS: THE BOTNET’S PRIMARY VICTIMS

According to a report by cybersecurity firm Proofpoint, the Smominru miner targeted Windows management infrastructure. In the past, botnets infected desktop PCs. Smominru represents a rare case where the botnet targeted servers instead.

Although servers are an unusual target, they are highly appealing for digital currency miners. Servers have higher processing power and are rarely if ever, turned off. Monero can, therefore, be mined extensively for longer periods of time.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers, running much closer to capacity,” indicated the Proofpoint report.

The researchers at Proofpoint also noted that at least 25 of the infected hosts had conducted additional attacks through Eternal Blue. Examples include using worm-like features to infect new nodes. Vulnerable machines with publicly available IP addresses also experienced botnet attacks.

ATTEMPTS TO CURTAIL THE SMOMINRU PROBLEM

Despite the attempts to fix the problem, cybersecurity workers have only had short-term success. Proofpoint, abuse.ch, and the ShadowServer Foundation have all attempted to remove the botnet using the sinkhole, a technique where dangerous traffic is diverted away from the network. They have managed to take down one third of Smominru mining bots. However, the bots quickly recovered. Thus far, the botnet has proven highly resilient and has been difficult to shut down.

“The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations,” noted the report.

“Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size.”

At the moment, “robust patching regimes remain the best defence against Eternal Blue,” said Kevin Epstein, Vice president for threat operations at Proofpoint as he told ZDNet. “While we expect the number of vulnerable machines to decrease over time, obviously there are still many unpatched machines worldwide with SMB accessible by public IP.”

Conclusion:

Although it is unlikely that any individual infected PC will generate significant amounts of money for cryptominers, when you have hundreds of thousands of hijacked PCs under the command of a botnet the profits to be made are considerable.

Furthermore, a cryptomining attack has an arguably longer shelf-life than a ransomware attack. By its very nature, a traditional ransomware attack has to announce its presence to its victims in order to request a payment. Cryptominers, in contrast, want to draw as little attention to themselves in order to mine for as long as possible to generate the maximum income.

In fact, the biggest clue that most users will have that their computers may be affected by a cryptominer is if they found the PC is slowing down, its battery running out at a quicker rate, or the fan blowing at full blast.

Don’t make the mistake of thinking that this is a victimless crime. If your computers get recruited into a cryptomining botnet like Smominru, it’s your electricity and computer power that is being stolen.