The Smominru mining botnet continues to wreck havoc on corporate machines by not only installing cryptominers, but also stealing credentials, installing backdoors, and making system configuration modifications that could affect the proper operation of an infected machine.
Smominru is a wormable malware that spreads using the EternalBlue exploit and by brute forcing RDP, MSSQL, Telnet and other exposed services. Once the botnet gains access to a machine, it will attempt to remove rival malware, secure the box from further infections, and then install cryptomining software, steal login credentials, install backdoors, and spread laterally to other machines.
In 2018, we reported that this botnet had infected over 500,000 machines and earned approximately $2.3 million. According to a new report from Guardicore Labs, the botnet is still heavily active with 90K new victims in August 2019 and 4.7K new infections per day.
To make matters worse, Guardicore has seen that 25% of infected victims were reinfected more than once, showing that machines were not being properly patched and secured after being cleaned.
As this worm uses the EternalBlue exploit, the researchers note that most of the infected operating systems are Windows 7 and Windows Server 2008, which include working exploits for this vulnerability.
“Not surprisingly, Windows 7 and Windows Server 2008 are the most infected operating systems, representing 85 percent of all infections,” Guardicore Labs stated in their report. “These are Windows versions for which there is an operational EternalBlue exploit available on the internet. Other victim operating systems include Windows Server 2012, Windows XP and Windows Server 2003. These are either systems which have been out of support for many years, or about to be End of Life.”
Cyber turf wars
After infecting a machine, Smominru will download a worm component used to spread to other machines, an MBR rootkit, and a Trojan named PcShare that contains remote access Trojan (RAT) capabilities such as information stealing, command execution, and the downloading of further malware.
The researchers believe the PcShare component is used to download the Monero miners.
In addition to infecting the machine with a cocktail of malware, the botnet also goes to great lengths to remove any rivals from the infected computer.
It does this by terminating numerous processes, removing backdoor accounts, and deleting scheduled tasks associated with competing malware infections.
After removing rival malware from the machine, Smominru will attempt to secure the infected machine by blocking TCP ports 135, 137, 138, 139, and 445, which are associated with SMB and RPC.
With the elimination of rival malware and the hardening of an infected machine, the botnet can then utilize all of the computer’s resources for their own mining efforts.
Detecting and protecting against Smominru
To assist in detecting Smominru, Guardicore has released a PowerShell script that can scan for and detect the presence of this infection.
For those who wish to manually check if this infection is present, the researchers state that you can also check for the existence of the following files:
C:WindowsDebugitem.dat C:Program FilesCommon Filesxpdown.dat C:Program FilesCommon Filesxpwpd.dat
Ultimately, though, system administrators need to secure their machines so that they are not vulnerable to these types of infections.
“The spreading of Smominru is heavily based on weak passwords, but it also relies on the existence of EternalBlue vulnerable machines. Unpatched systems allow the campaign to infect countless machines worldwide and propagate inside internal networks. Thus, it is crucial that operating systems be aligned with the currently-available software updates.”
Being cognizant of the fact that patching can be a complicated task in some environments, Guardicore suggests applying additional security measures such a limiting publicly exposed servers and networking monitoring tools.