Cryptoming Botnet Smominru Returns With a VengeanceResearchers: New Campaign Spreading Worldwide
The crypotmining botnet Smominru, which has been around since at least 2017, has resurfaced with a new campaign that has infected 90,000 devices worldwide, including in the U.S., China and Russia, according to security analysts at Guardicore, a Boston-based security firm.
On Wednesday, the Guardicore researchers announced that they recently accessed a core server belonging to the threat group, which stores credentials and data from the victims.
By monitoring the server, Guardicore was able to study infection patterns and gauge the botnet's campaign. What they found was a botnet with a wide reach that included 4,900 infected networks; it averaged about 4,700 infections per day in August. The researchers also noted that the botnet infected three devices on each network on average, and that one network contained 65 hosts infected with malware.
In addition, researchers also found indications that many victims apparently aren’t patching their systems to protect against the botnet attacks. They also found that some ISPs aren't blocking malicious activity.
"Unfortunately, it's disappointing but not surprising that so many systems have not been patched," Daniel Goldberg, security research expert at Guardicore Labs, tells Information Security Media Group. "For the majority of victims, they are not aware of how to secure their machines, and cryptocurrency mining does not immediately interfere or harm their day to day operations. In either case, having their machines compromised is barely noticeable to them."
At the same time, "ISPs have shown willingness to protect home users, but the same is not true of business customers. ISPs are capable of monitoring and detecting some malicious activity from their customers and could be more proactive and helping businesses protect themselves," Goldberg says.
Smominru’s recent activity has caught the attention of other cybersecurity vendors as well. In August, researchers with Carbon Black outlined the recent activity of Smominru and noted how the group behind the botnet had evolved over the past two years. This includes using new techniques such as polymorphic malware, repackaged or modified malware and open-source exploits.
The Carbon Black researchers also found that along with cryptomining, the threat actors had expanded their efforts to include stealing credentials and data.
"The botnet consists of global victims but primarily targets Asia and Europe," the Carbon Black researchers said. "The campaign primarily utilizes Eternal Blue scanning for lateral movement. Though complex in nature, the vast majority of the commands used by the campaign are either base64 encoded or in plain text."
The Guardicore researchers noted that they have gleaned information from the computer metadata they've gathered from accessing the Smominru server.
"This information would help criminals understand who they have successfully infected and to sell access to it," Goldberg says, adding that the attackers "primarily monetize victims by cryptomining. However, the attackers' tools are capable of stealing more data if they find it relevant."
The threat actors behind the botnet also are running it as their primary business, he says.
"Different members seem to have different jobs and different skill levels," Goldberg says. "Some parts of their attacks are quite sophisticated, such as abusing MS-SQL's job scheduler functionality for persistence. However, some of the group's members make basic mistakes, such as leaving their victim logs wide open to the internet."
Spread of Smominru
Smominru uses a number of methods to compromise devices. For example, in addition to exploiting the EternalBlue vulnerability found in certain versions of Windows, it uses brute-force attacks against MS-SQL, Remote Desktop Protocol and Telnet, according to the Guardicore report.
Once the botnet compromises the system, a PowerShell script named blueps.txt is downloaded onto the machine to run a number of operations, including downloading and executing three binary files - a worm downloader, a Trojan and a Master Boot Record (MBR) rootkit, Guardicore researchers found. Malicious payloads move through the network through the worm module. The PcShare open-source Trojan has a number of jobs, including acting as the command-and-control, capturing screenshots and stealing information, and most likely downloading a Monero cryptominer, the report notes.
The group behind the botnet uses almost 20 scripts and binary payloads in its attacks. Plus, it uses various backdoors in different parts of the attack, the researchers report. Newly created users, scheduled tasks, Windows Management Instrumentation objects and services run when the system boots, Guardicore reports. With attacks targeting MS-SQL, the group uses the task scheduling engine inside MS-SQL for persistence to run jobs at different intervals, such as when the system reboots or every 30 seconds.
The botnet’s infrastructure is highly distributed, with more than 20 servers used in parts of the attacks and each one serving a few files. Each of the files references another two to three servers, with many files hosted on more than one server, making it more difficult to take the infrastructure down, according to Guardicore's report.
Rather than using victims' servers, as is typical in some other botnet attacks, the attackers use their own systems that are primarily hosted in the U.S., with others hosted by ISPs in Malaysia and Bulgaria, the researchers say.
Most attacks originate at ISPs in the West, according to Guardicore. Many hosting companies can find and block malicious activity, which is why it’s “unclear why hosting companies such as Verizon or Rackspace are incapable of policing their networks in a similar fashion. Such actions would have stopped a large fraction of these attacks,” the report states.
"There is no large difference in the sophistication and size of this attacker organization compared to other bot groups," Goldberg says. "There is a lot of cross-pollination in techniques between groups, and the level of sophistication has been increasing over the years across the board. However, this group is unique in using dedicated servers, and we believe this shows a high level of confidence in their hosting providers. As long as ‘bullet proof’ hosting exists, this is a very effective technique as it simplifies the attackers' operations."
Windows Devices Targeted
Some 85 percent of the botnet’s infections target devices running Windows 7 and Windows Server 2008, according to Guardicore. That’s most likely because an EternalBlue exploit for these systems is readily available on the internet, the researchers report.
Other operating systems that have been targeted are Windows Server 2012, Windows XP and Windows Server 2003.
Most devices that the botnet targets are relatively small, with one to four CPU cores, although larger devices are not immune, the researchers report. So far, more than 200 infected machines have more than eight cores.
The Smominru cryptomining group also works to disable and block the malicious activities of other bad actors by deleting executable files, dropping or breaking backdoor credentials of other attackers, removing scheduled tasks and deleting MS-SQL jobs created by others, the Guardicore report notes. In addition, the botnet blocks TCP ports so that other threat actors can't get into those systems compromised by Smominru.