Cryptocurrency Mining Botnet Smominru has stolen millions in Monero

Monero Cryptocurrency Mining Script Has Drastically Increased

A cryptocurrency mining botnet by the name of Smominru has stolen millions since May 2017 and has infected more than 526,000 Windows systems.

Public interest in cryptocurrencies has continued to increase, and so has the trading in popular cryptocurrencies. The amount of money in circulation, as well as the number of users, has attracted hackers and malicious users to this sector for a few years now. New attack vectors have come up with alarming frequency, and the latest addition to this infamous list is the Smominru botnet.

Smominru is a cryptocurrency mining botnet active since May 2017. It uses the EternalBlue exploit (CVE-2017-0144) to infect Windows hosts. Smominru has infected more than 526,000 hosts thus far using the NSA exploit made public by the group Shadow Brokers in April 2017. In the few months of its operation and functioning, Smominru has mined around 8,900 Monero. This corresponds to $2.45 million.

Researchers say that Smominru is different from most other malware of its sort in that it uses Windows Management Infrastructure in a most peculiar manner. When they dug deeper and looked at the hashing power of the Monero address linked to the mining botnet, they realized that Smominru is at least two times the size of Adylkuzz.

Smominru has stolen 8,900 Monero thus far at a rate of 24 Monero per week. The mining pool which it is a part of realized something was wrong many days after Smominru first became active. However, despite taking action against it, Smominru continued to be active using new nodes. The botnet is spread by at least 25 nodes across the world, most of which are in India, Russia, and Taiwan. These nodes use EternalBlue exploit to bring in more hosts under Smominru and steal more Monero.

SharkTech, a DDoS protection company, is the firm behind which Smominru’s command and control infrastructure is hiding. Researchers have done their bit by notifying SharkTech of the same as well as requesting MineXMR to block the Monero address that Smominru uses to continue its operation. All these methods haven’t had a huge impact on the operation, with Smominru still very much active.

Researchers believe that the malware owners opted for Monero since it is still one of the popular cryptocurrencies that allow individual CPU owners to partake in the mining process with relative success. Bitcoin’s mining is now controlled by major mining pools that boast computing power ordinary users cannot match. Monero is yet to reach that level. That, combined with its good value, was the possible reason for the Smominru creators to use it.

While researchers are always on the lookout for foul play in the cryptocurrency world, such instances always take place, and will always continue to take place. With so many users active in the market and enormous amounts of money in circulation every day, the opportunity is ripe for malicious users to do their thing and do away with as much money as possible.