Smominru Botnet Rises Again

Delaware, USA – September 19, 2019 – The growth of the Monero cryptocurrency price provokes the return of major players to the race for other people’s computing power. Guardicore Labs uncovered winning streak of infamous Smominru botnet infecting about 4.7k systems per day. The botnet appeared in May 2017 and used mainly EternalBlue exploit to infected more than 500,000 Windows systems in less than a year and mine about 9,000 Monero to its creators. In August, a new version of Smominru started to attack Windows servers exploiting the same vulnerability and brute-forcing various services and protocols (RDP, MS-SQL, Telnet). In the first month, the botnet managed to infect approximately 90,000 systems in 4,900 organizations, most of which are located in the USA, Brazil, China, India, Japan, and Russia. Most infected systems have Windows 7 installed, and about 30% run Windows Server 2008. The malware infects the server, searches for possible competitors, creates a backdoor user with admin rights and downloads scripts and executable files. Using downloaded scripts, Smominru terminates the processes of other cryptocurrency mining botnets, deletes related users and scheduled tasks, and blocks TCP ports associated with SMB and RPC. EXE files are necessary for further infection of systems in the organization’s network, installation of the MBR rootkit and PcShare remote access trojan, which is used to download and install the Monero mining component and credentials dumping tools.

In addition to the rogue account, Smominru botnet also creates scheduled tasks, WMI objects, and services that run at startup, so about a quarter of systems are reinfected after removing the malware. Even a complete cleaning of the system and installing updates does not guarantee protection since the collected credentials along with information about the system and its external IP are transmitted to the attackers’ server. Smominru infection can be detected using a script by Guardicore Labs: https://github.com/guardicore/labs_campaigns/tree/master/Smominru
You can also use the Brute Force Detection rule pack available on Threat Detection Marketplace to detect attempts of password guessing: https://my.socprime.com/en/integrations/brute-force-detection-hpe-arcsight