The new Monero miner Smominru is active in the wild using the EternalBlue exploit to spread, according to a new report.
Smominru saw an uptick in usage starting in May 2017 and while its behavior after infection has not changed the fact that it is using the Windows exploit is odd, Proofpoint reported. The malicious actors behind this campaign had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M with the bad guys mining about 24 Monero, $8,500, per week.
“At least 25 hosts were conducting attacks via EternalBlue (CVE-2017-0144 SMB) to infect new nodes and increase the size of the botnet. The hosts all appear to sit behind the network autonomous system AS63199,” Proofpoint wrote.
The attacks are being conducted by about 526,000 infected Windows hosts with the majority located in Russian, India and Taiwan. Proofpoint managed to put a dent in the operation by working with MineXMR, the Monero Mining Pool.
“We contacted MineXMR to request that the current Monero address associated with Smominru be banned,” Proofpoint wrote, adding, “The mining pool reacted several days after the beginning of the operation, after which we observed the botnet operators registering new domains and mining to a new address on the same pool. It appears that the group may have lost control over one third of the botnet in the process.”
The researchers noted that due to the fact that cryptominer’s often dominate a CPU’s capacity and that it is using a Windows business tool to spread the corporations that are likely being enslaved to mine Monero are also likely suffering from performance issues.
“Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size,” Proofpoint said.