Botnet for cryptomining formed with NSA exploit

The EternalBlue botnet preferably affects Windows Server and should already contain more than 500,000 systems.

The Smominru botnet is used to mine the cryptocurrency Monero. Experts from the security provider Proofpoint report that the unknown backers control up to 526,000 systems in the meantime. They distribute their malware through the NSA-stolen exploit EternalBlue, which proved its effectiveness already at the outbreak of the ransomware WannaCry.

The cybercriminals are said to have generated about 8,900 Monero since May 2017, which, depending on the conversion rate, have a value between 2.8 and 3.6 million dollars. This corresponds to a yield of around 24 Monero or around $ 8,500 per day.

Among other things, the high performance of the botnet is based on the fact that Smominru primarily controls Windows servers, which are more suitable for the extraction of cryptocurrencies due to their usually higher computing power compared to desktop PCs. In addition, servers are often in operation around the clock, while regular PCs are often only active by the hour.

Proofpoint suspects that not all affected companies or organizations have already discovered that hackers have invaded their networks - although infected servers should actually notice a lower performance or a higher utilization and increased energy consumption. In addition, at least 25 infected host systems will use EternalBlue's worm features to attack other systems with publicly available IP addresses to increase the size of the botnet.

The malware enters into unpatched systems through known vulnerabilities in the Remote Desktop Protocol of Windows Server 2003 and Windows XP. All attempts to disable the botnet, inter alia by blocking IP addresses, have not been successful so far. According to the researchers, the botnet was always able to recover - also due to the EternalBlue exploit. Probably the backers will manage to bring even more than the currently around 500,000 systems under their control.

Most infected systems are found in Russia, India and Taiwan. The researchers assume that these countries were not specifically selected, but there are simply more older and unpatched Windows systems than in other countries. The best protection against EternalBlue is therefore a rigorous update policy. "Although we expect the number of vulnerable machines to decrease over time, there are obviously many unpatched machines with an SMB protocol accessible via public IP addresses," said Kevin Epstein, vice president of Proofpoint.