Pierluigi Paganini September 19, 2019

Researchers at Guardicore Labs reported that the Smominru botnet is rapidly spreading and now is already infecting over 90,000 machines each month around worldwide.

In February 2018, researchers from Proofpoint discovered a huge botnet dubbed ‘Smominru’ that was using the EternalBlue exploit to infect Windows computers and recruit them in Monero cryptocurrency mining activities. According to the researchers, the Smominru botnet has been active at least since May 2017 and at the time of its discovery infected more than 526,000 Windows computers.

According to a new report published by the researchers at Guardicore Labs, the Smominru, is rapidly spreading and now is already infecting over 90,000 machines each month around worldwide.

The report published by Guardicore Labs researchers analyzes the attack chain and the nature of the victims.

Experts discovered that many machines recruited in the botnet were reinfected even after removing the Smominru, a circumstance that suggests that these systems remain unpatched since first infection. 

“During August, the Smominru botnet infected 90,000 machines around the world, with an infection rate of 4,700 machines per day. Countries with several thousands of infected machines include China, Taiwan, Russia, Brazil and the US.” reads the report published by the experts.

Most of the infected systems are Windows 7 and Windows Server 2008, representing 85 percent of all infections, in China, Taiwan, Russia, Brazil and the US.

In just one month, the worm infected more than 4,900 networks, some of them had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy, experts observed a total of 65 infected hosts.

Once compromised the system, a first-stage Powershell script named blueps.txt is downloaded onto the machine. This script performs the following actions:

• It downloads and executes three binary files;
• It creates a new administrative user named admin$ on the system;
• It downloads additional scripts to perform malicious actions.

Once gained access to the targeted systems, Smominru installs a Trojan module and a cryptocurrency miner and attempt to infect other machines inside the target network.

The botnet main purpose continues to be crypto-mining but recently experts observed that operators added a data harvesting module and Remote Access Trojan (RAT) to their botnet’s cryptocurrency mining code.

The latest variant of Smominru downloads and runs at least 20 distinct malicious scripts and binary payloads, including a worm downloader and an MBR rootkit.

The storage infrastructure is widely distributed, experts found more than 20 servers, each of them serves a few files and each file references additional 2-3 servers.

Operators stored many of the files on more than one hosting server, to improve the resilience of attack infrastructure to takedowns and its flexibility.

Most of the machines are located in the US, with some hosted by ISPs in Malaysia and Bulgaria. 

“The attackers create many backdoors on the machine in different phases of the attack. These include newly-created users, scheduled tasks, WMI objects and services set to run at boot time.”continues the report.”The MS-SQL attack flow includes a unique persistence method; the attackers use the obscure task scheduling engine inside MS-SQL to run jobs at different time intervals, e.g. upon reboot, every 30 minutes, etc. “

Guardicore Labs experts managed to gain access to one of the attackers’ servers and analyzed its content to gather information on the nature of the victims.

“The attackers’ logs describe each infected host; they include its external and internal IP addresses, the operating system it runs and even the load on the system’s CPU(s). Furthermore, the attackers attempt to collect the running processes and steal credentials using Mimikatz,” the researchers say. continues the report.

Unlike previous variants, the new Smominru bot also removes infections from compromised systems and blocking TCP ports (SMB, RPC) to prevent infections by other threat actors.

Further data, including Indicators of Compromise, are reported in the analysis published by the experts.

Pierluigi Paganini

(SecurityAffairs – APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]