Smominru Botnet Infected Over 500,000 Windows Machines (mainly Windows servers)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Over 526,000 Windows computers —mainly Windows servers— have been infected with Monero mining software by a group that operates the biggest such botnet known to date.


This group's operations have been known to security researchers since last year, and various companies have published reports on its activity. Because the botnet is so massive and widespread, most previous reports covered only a fraction of the group's entire operation.

The most recent reports that have gotten to the bottom of things are from Qihoo 360 NetLab (botnet is named MyKings) and Proofpoint (botnet is named Smominru).

Other companies that published reports on fractions of the botnet's infrastructure and operations include GuardiCore, Trend Micro, Kaspersky, Panda Security, and Crowdstrike, but also some independent Chinese researchers [1, 2].
Click to expand...

Smominru made around $2.3 million

Putting all these together, we have a big picture of the largest mining botnet seen to date. The botnet has infected over 520,000 machines and has made a massive 8,900 Monero ($2,3 million) for its operators.


Smominru operators are using different techniques to infect machines. They mainly rely on the use of the EternalBlue (CVE-2017-0144) exploit, but they've also deployed EsteemAudit (CVE-2017-0176), both aimed at taking over machines running unpatched Windows OSes.

As GuardiCore pointed out, the botnet has also targeted MySQL servers on Linux machines, but also MSSQL databases on Windows Servers.

Both GuardiCore and NetLab observed the group deploying an assortment of malware strains on infected hosts, from Mirai DDoS bots to backdoors, albeit their primary operation was always Monero mining.
Click to expand...


Total victim count could be around 1 million

According to data gathered after sinkholing part of the botnet's infrastructure, most victims are located in Russia, India, Taiwan, Ukraine, and Brazil.

While the sinkholing operation yielded results that allowed Proofpoint to approximate the botnet's size at around half a million, a NetLab researcher told Bleeping Computer their company estimates the botnet at around 1 million infected hosts, based on different sources.
Click to expand...
 
  • Like
Reactions: Faybert and harlan4096
You must log in or register to reply here.

Similar threads

vtqhtr413
    • Like
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide
Replies
0
Views
475
News Archive
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • Wow
    • HaHa
    • Like
Security News Three million malware-infected smart toothbrushes used in Swiss DDoS attacks
Replies
2
Views
1,041
Security News
MuzzMelbourne
MuzzMelbourne
silversurfer
    • Like
    • +Reputation
Qakbot Hackers Continue to Push Malware After Takedown Attempt
Replies
1
Views
1,020
News Archive
Shadowra
Shadowra

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top