Home > Cyber News > Smominru Botnet Infects Machines With Monero Cryptocurrency Miner

Smominru Botnet Infects Machines With Monero Cryptocurrency Miner

Smominru botnet

Cybersecurity analysts discovered a massive worldwide attack carrying a dangerous malware called the Smominru botnet. It is capable of manipulating the configuration of the compromised hosts and has been found to install a Monero cryptocurrency miner which takes advantage of the available resources and uses them to generate income for the operators. Read the complete analysis to learn more about it, as well as to find out how to protect yourself from incoming threats. If anyone experiences the symptoms of an active botnet infection they can use our in-depth Smominru removal guide to restore their systems.

Smominru Botnet Attacks Surge: Source of Infections

Computer security analysts detected that a new botnet attack that has managed to infect thousands of victims in a very short time. At the moment there is no information about the identity of the hacker or criminal collective behind it. Some of the experts propose that the people behind it are a small hacker group.

Previously some of its code was used to spread threats like Mirai which makes it a potent weapon in the hands of every criminal. The obtained samples showcase that the infection methods are mainly related to automated penetration testing. The attack platform can load various exploits that target a wide range of appliances, servers and IoT devices. According to the released reports the increasing rate of infections are caused by low security and default credentials left by the owners. The effects upon database servers can be particularly devastating. They usually run on Microsoft Windows servers and have access both to the Internet and the internal network. In many cases they are also the administrative controllers of devices such as cameras and other peripherals. Two of the most widely used exploits are the following:

  • EternalBlue (CVE-2017-0144) — This is the well-known exploit popularly used during the WannaCry ransomware attacks in May 2017. They exploit vulnerabilities in the SMB protocol which is used for file sharing on the contemporary versions of Microsoft Windows.
  • EsteemAudit (CVE-2017-0176) — This is a weakness in the Smart Card authentication code used in the server versions of Microsoft Windows.

Depending on the hacker configuration the deployed threat can be something else other than the Smominru botnet: ransomware, Trojans and etc. However the reports clearly indicate that the main payload in all campaigns so far seems to be the Monero cryptocurrency miner. The Smominru botnet attacks victims primarily located in Russia, India, Brazil, Taiwan and Ukraine.

Related Story: WannaMine – Cryptoworm That Mines Monero by Force

Smominru Botnet Analysis: Damage Potential Report

We have been able to obtain several reports that showcase how the malware operates as soon as the targets are chosen. In comparison with other similar threats it uses a fairy complex behavior sequence. After a vulnerability has been detected the exploit code is automatically launched which performs the infiltration.

The next part of the Smominru botnet infection is done using WMI scripts. They can be programmed using several popular programming languages (PowerShell and VBScript for example) which downloads and engages the main malware engine. Its important to note that once the malware is deployed to the victim hosts it gains the ability to create its own processes with administrative privileges. It can also hook to other applications automatically or as part of the installed behavior patterns. Once the infection are operational a basic configuration file is loaded. It can vary from victim to victim and a countless number of different patterns can be involved. The second stage loads a Trojan module that interestingly reports to a secondary hacker-controlled server. There are two main approaches to this:

  • The Trojan code can be controlled by another group, a popular tactic which is sometimes proposed on the underground hacker forums. The criminals can plan high-profile intrusions by organizing themselves in groups — the first one takes care of the actual intrusions while the second one manages the consequent effects and deployed malware code.
  • If all components and hacker behavior patterns are the works of the same criminal collective then the use of several hacker servers. If the main one goes offline then they will still have the ability to control the infected hosts.

The next step installs a cryptocurrency miner that automatically starts to take advantage of the available hardware resources. The complex computing operations mine the Monero digital currency which is transferred to the operators as profit. This is one of the most popular alternatives to Bitcoin and over the past few weeks we have seen several large-scale attacks that deliver similar malware.

Another wave of malware components can follow the Smominru botnet. The final wave of additions can lead to system changes. An example is the institution of a persistent state of execution which automatically prevents manual user removal attempts. In such cases the use of a quality anti-spyware solution would be needed to remove the active infections. If any Windows registry modifications are made the users may experience performance issues and application or service failure.
At the moment it is estimated that about 500 000 computer users are impacted from the latest attack campaigns and their number steadily grows. It is believed that the generated profit amounts to 8900 Monero which at today’s currency exchange rate amounts to around $2,086,409.23.

Related Story: Mirai-Based Masuta IoT Botnet Spreads in a Worldwide Attack

Smominru Botnet Modular Framework Capabilities

The fact that the botnet is made using a modular framework allows the criminal groups to create further updates. We suspect that the source code may be posted online in the hacker underground forums for sale or traded between the various groups. The analysts note that this type of threat is categorized as fileless. This means that the whole attack can be caused by scripts that execute all further steps in the memory of the host computer until the threat is installed completely.
Anti-virus scans can be avoided if the information harvesting module is engaged during the first acts of intrusion. Right after the scripts are run the hackers can embed a particular behavior pattern in the malware’s configuration. It is able to scan the system — both the hard drive and the running memory for sensitive information. There are two main categories of data that can be outlined:

  • Personal Data — The hackers can harvest strings that are related to their identity. The malware engine is programmed to acquire all sorts of information related to the victim’s name, address, location, preferences and even passwords.
  • Anonymous Data — Various statistics related to the operating system version and the hardware components is gathered by the engine.

In many cases due to the deep infection the malware operators can also retrieve data from the user-installed applications as well. A popular example is the web browser — the hackers can harvest the stored data: history, bookmarks, form data, preferences, cookies, passwords and account credentials. Using the same mechanisms they can also impose a redirect code by modifying the default home page, search engine and new tabs page. Usually the victims are redirected to malware pages that institute tracking cookies and spy on the users.

Some of the obtained samples were found to feature a stealth protection feature that can be individually configured depending on the attack campaign. Using the retrieved information the botnet can scan for the presence of anti-virus software, sandbox and debugging environments and virtual machines. They can be bypassed or removed and if the malware is unable to do so it can choose to delete itself to avoid detection.
The virus files can also be programmed to infect the Windows folder by renaming its components as system files and placing them there. When this is used in a combination with a keylogger the hackers can record all mouse movement and keystrokes in a database which is relayed to the hacker operators.
During the thorough code analysis it was discovered that some of the produced malware samples are signed using Chinese certificates. It is possible that the hacker groups are operating from the or one of their servers is located there.

Computer users can should always be on alert for malware infections. A free scan can reveal such instances and allow for a simple removal.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree