20 September 2019

Smominru botnet infected over 90K Windows computers in just one month

Smominru botnet infected over 90K Windows computers in just one month

Operators behind the infamous cryptocurrency-mining and credential-stealing botnet Smominru botnet ramped up their efforts and in just one month managed to infect over 90,000 computers. The threat actor compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet and more with the goal of stealing victim credentials and installing a trojan module and a cryptominer, according to the latest report from Guardicore Labs researchers, who have been tracking the Smominru botnet and its different variants ( Hexmen and Mykings) since 2017.

According to the researchers, just last month, more than 4,900 networks were infected by the Smominru worm, and many of these networks had dozens of internal machines infected. Among  victims are higher-education institutions, medical firms and even cyber security companies. Countries with several thousands of infected machines include China, Taiwan, Russia, Brazil and the US.

The majority of infected machines run Windows 7 and Windows Server 2008, representing 85% of all infections. Other victim operating systems include Windows Server 2012, Windows XP and Windows Server 2003 - operating systems, which either are out of support for many years or nearing End of Life (EOL).

The researchers found that many machines harnessed in the botnet were reinfected even after removing the Smominru worm, which suggests that these systems continued to remain unpatched even after the initial hack.

Majority of the infected machines discovered were primarily small servers, with 1-4 CPU cores.

The botnet compromises machines using various methods, the prominent ones being the EternalBlue exploit and brute-force of different services and protocols. After the initial compromise, a first-stage Powershell script named blueps.txt is downloaded onto the machine.

This script performs following operations:

  • It downloads and executes three binary files;

  • It creates a new administrative user named admin$ on the system;

  • It downloads additional scripts to perform malicious actions.

“The attackers create many backdoors on the machine in different phases of the attack. These include newly-created users, scheduled tasks, WMI objects and services set to run at boot time. The MS-SQL attack flow includes a unique persistence method; the attackers use the obscure task scheduling engine inside MS-SQL to run jobs at different time intervals, e.g. upon reboot, every 30 minutes, etc,” the researchers said.

Unlike previous variants, the new Smominru version removes other malware found on compromised machines and also blocks various TCP ports (SMB, RPC) in order to prevent infections by other threat actors.

A detailed analysis of the most recent Smominru campaign, as well as IoCs (Indicators of Compromise) is available in Guardicore Labs report.

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019