Proofpoint has been tracking a botnet that mines a cryptocurrency called Monero. What makes Monero attractive for attackers is that it’s a private digital currency that is advertised as secure, private, and untraceable. Bitcoin has been dropping in value while Ethereum and Monero have gained value, and Bitcoin doesn’t have complete anonymity making it less usable for the commission of a crime. Today, I’m covering a Monero mining botnet called Smominru.
Mining cryptocurrency is a resource-intensive task that also requires time, so cyber-criminals have turned to loading scripts into your browser to mine Monero while you’re on a particular website. Proofpoint began tracking a Monero miner called Smominru, hence the name of the botnet, that was spread using the EternalBlue exploit since the last couple weeks of May in 2017.
The amount of money this botnet has made for its creators is in the millions. Hash power is the number of calculations performed a second to solve a block to be rewarded with a fraction of a cryptocurrency coin. Since the end of May of 2017, the botnet has mined roughly 8,900 Monero coins valued between $2,800,000 to $3,600,000 based on the fluctuating price of Monero.
Proofpoint observed 25 machines that were attempting to spread the botnet by launching attacks using EternalBlue, an NSA exploit that created a lot of buzz May through July of 2017, to expand the size of the botnet. All of the attacking hosts are located inside the autonomous system number AS63199 which belongs to Capital Online Data Service Co Ltd. According to a Bloomberg company profile, Capital Online Data Service is located in Beijing China.
Other attacks have seen the use of SQL Server and EsteemAudit (a Windows remote desktop exploit from 2003) which fits the MO that other EternalBlue attackers are using. The command and control servers for Smominru are hosted on SharkTech’s infrastructure which offers distributed denial of service protection, virtual private servers, and other products and services.
With help from abuse[.]ch and the ShadowServer Foundation Proofpoint was able to set up a sinkhole to determine the location of the infected machines. Proofpoint discovered more than 526,000 infected Windows computers with the majority believed to be servers.