Operators behind the infamous cryptocurrency-mining and credential-stealing botnet Smominru botnet ramped up their efforts and in just one month managed to infect over 90,000 computers. The threat actor compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet and more with the goal of stealing victim credentials and installing a trojan module and a cryptominer, according to the latest report from Guardicore Labs researchers, who have been tracking the Smominru botnet and its different variants ( Hexmen and Mykings) since 2017.
According to the researchers, just last month, more than 4,900 networks were infected by the Smominru worm, and many of these networks had dozens of internal machines infected. Among victims are higher-education institutions, medical firms and even cyber security companies. Countries with several thousands of infected machines include China, Taiwan, Russia, Brazil and the US.
The majority of infected machines run Windows 7 and Windows Server 2008, representing 85% of all infections. Other victim operating systems include Windows Server 2012, Windows XP and Windows Server 2003 - operating systems, which either are out of support for many years or nearing End of Life (EOL).
The researchers found that many machines harnessed in the botnet were reinfected even after removing the Smominru worm, which suggests that these systems continued to remain unpatched even after the initial hack.
Majority of the infected machines discovered were primarily small servers, with 1-4 CPU cores.
The botnet compromises machines using various methods, the prominent ones being the EternalBlue exploit and brute-force of different services and protocols. After the initial compromise, a first-stage Powershell script named blueps.txt is downloaded onto the machine.
This script performs following operations:
It downloads and executes three binary files;
It creates a new administrative user named admin$ on the system;
It downloads additional scripts to perform malicious actions.
“The attackers create many backdoors on the machine in different phases of the attack. These include newly-created users, scheduled tasks, WMI objects and services set to run at boot time. The MS-SQL attack flow includes a unique persistence method; the attackers use the obscure task scheduling engine inside MS-SQL to run jobs at different time intervals, e.g. upon reboot, every 30 minutes, etc,” the researchers said.
Unlike previous variants, the new Smominru version removes other malware found on compromised machines and also blocks various TCP ports (SMB, RPC) in order to prevent infections by other threat actors.
A detailed analysis of the most recent Smominru campaign, as well as IoCs (Indicators of Compromise) is available in Guardicore Labs report.