Smominru is a botnet that, at the time of writing, is mostly comprised of over 526,000 Windows computers, which are primarily Windows servers. Although it has been observed delivering a variety of malware to vulnerable system such as Mirai DDoS malware and other trojans, its primary function is to generate profit for its operator(s) by mining cryptocurrency on infected systems. According to researchers, the Smominru botnet has already made approximately $2.3 million through mining activity and is the largest mining botnet to date. This botnet infects systems running Windows using the EternalBlue (CVE-2017-0144) and EsteemAudit (CVE-2017-0176) exploits. It also targets MSSQL databases on Windows servers and MySQL databases on Linux servers. Currently, most Smominru victims appear to be in Russia, India, Taiwan, Ukraine, and Brazil. There are conflicting reports between research firms as to where the botnet operator is based, with GuardiCore claiming that Smominru is based in China and ProofPoint claiming most of the botnet's IP scanners are operating from a US-based network.
The NJCCIC recommends users and administrators of Windows OS and Windows servers keep their operating system software patched and up-to-date. We also recommend running a reputable, updated antivirus software solution and monitoring systems for unusual or unexpected spikes in CPU usage that could indicate the presence of cryptocurrency mining malware.
Reporting and Technical Details:
- January 2018: Smominru Monero Mining Botnet Making Millions for Operators (ProofPoint)
- December 2017: Beware the Hex-Men (GuardiCore)
- August 2017: Cryptocurrency Miner Uses WMI and EternalBlue to Spread Filelessly (Trend Micro)