In 2017, the cyber landscape was marked by significant data breaches and ransomware incidents. This year, however, there has been a notable surge in cryptocurrency-related malware, indicating a shift in the tactics favored by cybercriminals. Multiple cybersecurity firms are now reporting the emergence of new cryptocurrency mining viruses, many of which exploit the infamous EternalBlue vulnerability—initially exposed by the hacking group Shadow Brokers and previously associated with the devastating WannaCry ransomware outbreak.
Researchers from Proofpoint have identified a sizeable global botnet known as “Smominru,” or Ismo, which actively utilizes the EternalBlue SMB exploit (CVE-2017-0144) to infiltrate Windows machines and clandestinely mine Monero cryptocurrency. Estimated to have infected over 526,000 systems primarily running outdated versions of Windows, Smominru is believed to generate significant revenue for its operators.
According to analysis, the botnet’s operations have yielded around 8,900 Monero, valued at approximately $3.6 million, and it continues to commandeer computing resources at an impressive rate of roughly 24 Monero daily—translating to around $8,500. The researchers highlighted that Smominru could potentially be twice the size of previous malware threats, such as Adylkuzz, based on its hashing power.
The highest concentration of Smominru infections has been reported in Russia, India, and Taiwan. The botnet’s command infrastructure is reportedly hosted by DDoS protection service SharkTech, which, despite being notified of the ongoing abuse, has taken no action to address the matter.
To discover new vulnerable Windows computers, Smominru operators deploy at least 25 machines, scanning the internet for targets. They are also utilizing another leaked NSA protocol exploit, EsteemAudit (CVE-2017-0176), to facilitate infections. As traditional cryptocurrency mining methods become increasingly resource-intensive, particularly for Bitcoin, attention has shifted to coins like Monero, which can still be mined effectively in distributed environments such as botnets.
Furthermore, a recent report from CrowdStrike detailed another pervasive cryptocurrency threat named WannaMine, which employs the EternalBlue exploit to compromise systems for Monero mining. This fileless malware variant is particularly insidious due to its operational stealth; it does not download conventional malware, making detection by antivirus solutions significantly more challenging. CrowdStrike noted instances where organizations were rendered inoperative for extended periods as a result of WannaMine infections.
Amid this rising trend, cryptojacking attacks, where cybercriminals employ JavaScript miners on web pages to leverage visitor CPU power for cryptocurrency mining, are becoming increasingly common. With the emergence of threats exploiting vulnerabilities like EternalBlue—which has been patched by Microsoft—staying vigilant and maintaining updated software is critical for organizations seeking to mitigate risks associated with these evolving cyber threats.
In light of these developments, business owners must remain aware of the tactics employed by adversaries, which may include initial access, persistence, and privilege escalation as delineated in the MITRE ATT&CK framework. By understanding these techniques, organizations can better fortify their defenses against the burgeoning risks associated with cryptocurrency-oriented cybercrime.