The Smominru botnet which is a well-known weapon used by criminal organizations has been revealed to conduct a massive campaign with the aim of infecting the victims with cryptocurrency miners.
The payload files which carry the infections are JPEG images of Taylor Swift. The alternative names under which the botnet is known includes MyKings and DarkCloud.
Taylor Swift Images Can Get You Infected With a Miner: Attack Coordinated By Smominru Botnet
The Smominru botnet is a well-known threat which has been known active since 2016 and used in various targeted attacks. In most of the cases it has been used to deliver miners and Trojans against set targets. In some of the latest versions the hackers have added a bootkit function which will disable the running security software and services and hide itself from discovery. Botnets like this one are being distributed using a variety of tactics, however the most popular ones are the following:
- Brute Forcing Login Attempts — The infections will be automated by the use of hacking toolkits that will identify running services on the target and attempt dictionary attacks and brute force logins.
- Vulnerability Exploits — The toolkits can look for weaknesses in the services and use popular exploits in order to take over control of the devices.
The reports indicate that the new version of the Smominru Botnet has been launched to spread JPEG images of Taylor Swift. These files are posted in a JPG photo format to a public repository. When they are accessed by the victims a script will launch executable code that will start an infection. The botnet infection will also be set as a persistent threat meaning that the configuration files and settings will be changed to automatically start as soon as as the hosts are started.
The main engine will deliver dangerous cryptocurrency miners which are small-sized scripts that will download complex tasks that will “mine” the Monero cryptocurrency — processing transactions on the decentralized network. So far the botnet has recruited 45,000 hosts and will mine $300 per day. According to the reports the main targets of the botnet are located in Asia. The top countries are: China, Russia, Taiwan, India, USA and Japan. The hacking group behind the latest attack campaigns is thought to be experienced as the updated versions are a significant improvement over the previous iterations.
Apart from the Miners there are other infections which are delivered by the botnet:
- PCShare Trojan — This Trojan will automatically start every time the computer is powered and start the typical Trojan engine which will allow the hackers to take over control of the victim hosts.
- DNSChanger Trojan — This Trojan module will exhibit an advanced system change action — the host’s DNS settings will be changed to a Chinese-based server. It is not operated by a hacking group at the moment and the reason for this is not known. Other modules include a SQL brute force component, mass port scan and a network discovery mode.
- Dloadr Malware — These are dangerous Nullsoft Installer archives that are used to deliver various types of virus threats.
- Forshare Trojan — This is a fairy common Trojan which contains Chinese text in its meta data.
- Coin Stealer Trojan — Some of the less common threats include such malware. They perform multiple checks that will look for any installed cryptocurrency software and web services. The engine will manipulate the fields and harvest the account data in order to hijack their assets.
Given the act that the ongoing attacks are successful and continue to be spread we anticipate that future updates of the botnet and new attack campaigns will continue to be produced.