Smominru Botnet Infected Over 500,000 Windows Machines (mainly Windows servers)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Over 526,000 Windows computers —mainly Windows servers— have been infected with Monero mining software by a group that operates the biggest such botnet known to date.


This group's operations have been known to security researchers since last year, and various companies have published reports on its activity. Because the botnet is so massive and widespread, most previous reports covered only a fraction of the group's entire operation.


The most recent reports that have gotten to the bottom of things are from Qihoo 360 NetLab (botnet is named MyKings) and Proofpoint (botnet is named Smominru).

Other companies that published reports on fractions of the botnet's infrastructure and operations include GuardiCore, Trend Micro, Kaspersky, Panda Security, and Crowdstrike, but also some independent Chinese researchers [1, 2].

Smominru made around $2.3 million

Putting all these together, we have a big picture of the largest mining botnet seen to date. The botnet has infected over 520,000 machines and has made a massive 8,900 Monero ($2,3 million) for its operators.


Smominru operators are using different techniques to infect machines. They mainly rely on the use of the EternalBlue (CVE-2017-0144) exploit, but they've also deployed EsteemAudit (CVE-2017-0176), both aimed at taking over machines running unpatched Windows OSes.


As GuardiCore pointed out, the botnet has also targeted MySQL servers on Linux machines, but also MSSQL databases on Windows Servers.

Both GuardiCore and NetLab observed the group deploying an assortment of malware strains on infected hosts, from Mirai DDoS bots to backdoors, albeit their primary operation was always Monero mining.


Total victim count could be around 1 million

According to data gathered after sinkholing part of the botnet's infrastructure, most victims are located in Russia, India, Taiwan, Ukraine, and Brazil.


While the sinkholing operation yielded results that allowed Proofpoint to approximate the botnet's size at around half a million, a NetLab researcher told Bleeping Computer their company estimates the botnet at around 1 million infected hosts, based on different sources.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top