Guardicore Labs: Smominru cryptomining botnet is still spreading and it’s stronger. Only in August the worm infected over 90,000 machines worldwide, Italy included, targeting Windows 7 and Server 2008 systems
Smominru cryptomining botnet is still spreading and it’s stronger. Only in August the worm infected over 90,000 machines worldwide. It has been revealed by Guardicore Labs cyber security experts. Countries hit include Italy, China, Taiwan, Russia, Brazil, and the US. Infected networks include US-based higher-education institutions, medical firms and even cyber security companies. As the attacks were untargeted and did not discriminate against industries or targets, they reached victims in various sectors. The malware, once it gains a foothold, attempts to move laterally and infect as many machines as possible inside the organization. Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy with a total of 65 infected hosts. Windows 7 and Windows Server 2008 are the most hit operating systems.
The cyber security experts: The malware exploits brute force and EternalBlue
According to the cyber security experts, Smominru compromises machines using various methods, the prominent ones being the EternalBlue exploit and brute-force of different services and protocols, such as MS-SQL, RDP and Telnet. After the initial compromise, a first-stage Powershell script named blueps.txt is downloaded onto the machine. This script performs several operations: It downloads and executes three binary files, It creates a new administrative user named admin$ on the system, and It downloads additional scripts to perform malicious actions. Cybercrime create many backdoors on the machine in different phases of the attack. These include newly-created users, scheduled tasks, WMI objects and services set to run at boot time. The MS-SQL attack flow includes a unique persistence method; the attackers use the obscure task scheduling engine inside MS-SQL to run jobs at different time intervals, e.g. upon reboot, every 30 minutes, etc.
Cybercrime put efforts in disabling and blocking other malicious actors’ activity in the targeted machine
Moreover, in the last versions of the botnet, it appears that cybercrime put much effort in disabling and blocking other malicious actors’ activity. This is done in various ways: Processes identified as other campaigns’ are killed, and their corresponding executable files are deleted; Backdoor credentials of other groups are dropped or deliberately broken by password modification (among these groups is Nansh0u); Scheduled tasks created by other groups are removed, and MS-SQL jobs created by other attack campaigns are deleted. In addition, Smominru blocks various TCP ports (SMB, RPC) in order to prevent other attackers from breaching its own infected machines. In its post-infection phase, it steals victim credentials, installs a Trojan module and a cryptominer and propagates inside the network. Furthermore, it re-infect many machines, even after they have removed the malicious code.