Secrets of latest Smominru botnet variant revealed in new attack
The latest iteration of Smominru, a cryptomining botnet with worming capabilities, has compromised over 4,900 enterprise networks worldwide in August. The majority of the affected machines were small servers and were running Windows Server 2008 or Windows 7.
Smominru is a botnet that dates back to 2017 and its variants have also been known under other names, including Hexmen and Mykings. It is known for the large number of payloads that it delivers, including credential theft scripts, backdoors, Trojans and a cryptocurrency miner.
The latest variant of Smominru, which was documented by researchers from Carbon Black in August, uses several methods of propagation, including the EternalBlue exploit that has been used in the past by ransomware worms like NotPetya and WannaCry and which has been known and patched since 2017. The botnet also uses brute-force and credential stuffing attacks on various protocols including MS-SQL, RDP and Telnet to gain access to new machines.
Recently, researchers from security firm Guardicore gained access to one of Smominru's core command-and-control servers that stored victim details and credentials. This allowed them to gather information about the compromised machines and networks and assess the botnet's impact.
The data revealed that Smominru infected around 90,000 machines from more than 4,900 networks worldwide, at an infection rate of 4,700 machines per day. Many of the networks had dozens of compromised machines.
The countries with the largest number of infected computers were China, Taiwan, Russia, Brazil and the US. The Smominru attacks do not target specific organizations or industries, but US victims included higher-education institutions, medical firms and even cybersecurity companies, according to Guardicore.
Over half of the infected machines (55%) were running Windows Server 2008 and around a third were running Windows 7 (30%). This is interesting because these versions of Windows are still supported by Microsoft and receive security updates.
With the EternalBlue exploit, the expectation would be that machines running older and end-of-life versions of Windows would be more affected. However, it's unclear how many systems were compromised through EternalBlue and how many were infected because of weak credentials.
Attack aided by unpatched systems
"Unpatched systems allow the campaign to infect countless machines worldwide and propagate inside internal networks," the Guardicore researchers said in a report released Wednesday. "Thus, it is crucial that operating systems be aligned with the currently available software updates. However, patching is never as simple as stated. Therefore, it is of high importance to apply additional security measures in the data center or the organization. Network microsegmentation detection of possibly malicious internet traffic as well as limiting internet-exposed servers are all critical to maintaining a strong security posture.
The poor security posture of many networks is also reflected by the fact that one in four victims were reinfected by Smominru. This means many organizations attempted to clean the infections but failed to properly close all attack vectors and address the root cause.
Most of the compromised machines had one to four CPU cores, falling in the small server category. However, over 200 of them had over eight cores and one machine had 32 CPU cores.
"Unfortunately, this demonstrates that while many companies spend money on expensive hardware, they are not taking basic security measures, such as patching their running operating system," the researchers said.
A serious infection with multiple payloads
Because of the botnet's worming capabilities any machine infected with Smominru can be a serious threat to a corporate network, and it's not just about cryptomining. This threat deploys a large number of payloads and creates many backdoors on infected systems to maintain persistence, including new administrative users, scheduled tasks, Windows Management Instrumentation (WMI) objects, start-up services and a master boot record (MBR) rootkit.
According to Guardicore's analysis, Smominru downloads and executes almost 20 distinct scripts and binary payloads. The company has published a detailed list of indicators of compromise, which includes file hashes, server IP addresses, usernames, registry keys and more, as well as a Powershell script to detect infected machines.