Criminals behind the cryptocurrency miner Smominru have raked in between $2.8 to $3.6 million since May. The payday is impressive, say researchers at Proofpoint, who report that operators have amassed a formidable botnet of infected servers pumping out 24 Monero daily, or the equivalent of $8,500.
The Smominru botnet, researchers said, is comprised of 526,000 infected Windows-based servers spread across Russia, India and Taiwan. The botnet is about twice the size of the cryptocurrency botnet Adylkuzz identified in May by Proofpoint.
Like Adylkuzz, Smominru uses the same NSA exploit EternalBlue as an attack kit to infect computers and make them part of a botnet that mines Monero cryptocurrency, researchers said.
Patrick Wheeler, director of threat intelligence at Proofpoint, said the campaign has been surprisingly large and resilient to efforts to disrupt it.
“Mining bots at this point are not uncommon, but what makes Smominru unique is the size, profitability and its resilience,” Wheeler said. The botnet has withstood sinkhole mitigation efforts to analyze and disrupt operations.
“Smominru (is) adapting to the sinkholing and returning to two thirds of its hash rate with a new Monero mining address,” according to Proofpoint researchers who published a technical analysis of the botnet on Wednesday.
Wheeler said, with ransomware or banking trojans, it’s often hard to get a sense of profitability. But with cryptocurrency it’s easy to get a sense of how effective they are. The threat landscape is changing. Cybercriminals have gravitated away from ransomware and banking trojans and are now focused on cryptocurrency as values have risen sharply over the past 18 months, he said.
“As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators,” according to Proofpoint.
Part of Smominru’s success is the miner’s use of Windows Management Infrastructure (WMI), which researchers said is unusual among coin mining malware. WMI is a scripting tool for automating actions in the Windows ecosystem, primarily used on servers.
“We have never seen WMI used in any other coin miners,” Wheeler said. Typically, coin miners have their own dedicated command-and-control (C2) network. Researchers say Smominru operators are using a hybrid of traditional C2 and WMI to configure and manage mining bots.
Proofpoint warns that because of the disproportionate numbers of Windows servers used in the Smominru botnet, affected business may see performance hits to servers as well as a jump in energy costs as systems run close to capacity.