santiago silver - Fotolia

Businesses urged to patch against cryptocurrency-mining botnet

Researchers have uncovered further evidence that cyber criminals are cashing in on the popularity of cryptocurrencies, with the discovery of a global cryptocurrency-mining botnet

Just weeks after the discovery of a variant of the Satori botnet targeting computers dedicated to mining cryptocurrency to steal Ethereum coins, researchers have found another botnet mining cryptocurrency worth millions for its operators, and have urged business to patch against being infected.

Dubbed “Smominru”, the botnet is believed to have been active since the end of May 2017 and infected more than 526,000 computers running the Microsoft Windows operating system using the EternalBlue server message block (SMB) exploit, which was allegedly developed by the US National Security Agency (NSA) and leaked by the Shadow Brokers hacking group in April 2017.

Like Ethereum, Bitcoin alternative Monero continues its upward trend in value, putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions, according to researchers at cyber security firm Proofpoint.

“Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cyber criminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free,” the researchers said in a blog post.

The botnet uses cryptocurrency mining software known as Smominru or Ismo, which is unusual among crypto mining malware in its use of Windows Management Infrastructure and its speed in unlocking new units of cryptocurrency.

The botnet appears to be capable of mining 24 Monero ($8,500) a day and is believed to have generated cryptocurrency worth up to $3.6m for its operators.

At least 25 hosts are conducting attacks through EternalBlue to infect new nodes and increase the size of the botnet, the researchers said, noting that other researchers have reported attacks through MySQL. The Proofpoint researchers believe the botnet operators are also likely using EsteemAudit (CVE-2017-0176), like most other EternalBlue attackers.

Smominru’s command and control infrastructure is hosted behind distributed denial of service (DDoS) protection company SharkTech, which has been notified by the researchers. They have also contacted Monero mining pool MineXMR to ban the Monero address linked to the Smominru botnet.

“The mining pool reacted several days after the beginning of the operation, after which we observed the botnet operators registering new domains and mining to a new address on the same pool. It appears that the group may have lost control over one-third of the botnet in the process,” the researchers said.

Cryptocurrencies have been used by cyber criminals for years in underground markets, but in the past year, the researchers said they have observed standalone coin miners and coin mining modules in existing malware proliferate rapidly.

Read more about cryptocurrency cyber attacks

As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, the researchers said a distributed botnet such as Smominru can prove quite lucrative for its operators.

Because most of the nodes in this botnet appear to be Windows servers, the researchers believe the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity.

“The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size,” they said.

Kevin Epstein, vice-president of threat operations at Proofpoint, said threat actors continue to “follow the money”, and because the money is increasingly in cryptocurrency, actors are turning their attention to a variety of illicit means to obtain cryptocurrencies.

“This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe. Taking down the botnet is very difficult given its distributed nature and the persistence of its operators,” he said. 

“For businesses, preventing infection through robust patching regimens and layered security is the best protection from potentially disruptive impacts on critical infrastructure,” he added.

Read more on Hackers and cybercrime prevention