A commodity cryptomining botnet campaign that has infected a half-million computers is now tapping a lucrative secondary moneymaking opportunity in selling access to victim machines, according to researchers.
An analysis of the known Smominru cryptomining campaign, which uses a modified version of XMRig to perform Monero mining, has uncovered an evolution in tools to include RATs, the Mimikatz credential-scraper and an EternalBlue exploit for propagation. This has all coalesced into a multistage campaign involving profiling and selling victim and network access, according to Carbon Black’s Threat Analysis Unit (CB TAU).
“[Our hypothesis is] that these systems were being profiled for the purpose of selling access to buyers interested in that type of machine, especially any machine that happens to be located within a particular company of interest,” CB TAU researchers said in their report, published Wednesday. “Furthermore, based on the evidence uncovered, this campaign has been actively underway for the past two years, infecting systems en masse and actively spreading by way of EternalBlue.”
Retooling for Selling Access
The Smominru cryptomining malware has been enhanced with open-source reconnaissance and RAT capabilities, the researchers found. After establishing persistence on the target computer, the adversaries use PowerSploit’s PowerShell Mimikatz script to scrape information from lsass.exe and write it out to a raw text file. That’s sent to the command-and-control (C2) infrastructure. The EternalBlue exploit (made famous in the WannaCry campaign and now publicly available) is leveraged to automate the pivoting from one system to the next within a domain environment.
Researchers found that Smominru’s C2 infrastructure is mainly comprised of compromised IIS v7.5 servers that they use to host toolsets and collect stolen data (including external IP addresses, internal IP addresses, domain information, usernames and passwords).
Taken all together, “it is highly plausible that they have established a separate revenue stream based on selling remote access in darknet marketplaces,” the researchers wrote, adding that they have indeed found Dark Web listings for access to machines, with probable links back to the campaign.
“Once a transaction is completed in an access marketplace, system credentials and/or remote access (via RAT, RDP, etc.) are provided on a members-only Dark Web marketplace,” according to the report. “Depending on the system, domain, performance, etc., the systems are ranked and sold at various price ranges, based on perceived value. This opens up a path for potentially purchasing access into a target organization, leveraging the system for large-scale attacks such as DDoS, or island hopping into another organization by proxy.”
The financial rewards that come from the retooling are compelling. The analysis indicated that the value of Monero at the time of writing was hovering around $90 per coin – if the attackers mine at their average pace of 8,900 Monero per six months, then they stand to make $1.6 million annually. As for the system access profit stream, if they can sell half of the 500,000 systems they have infected over the last year year at the going Dark Web rate of $6.75 each, that translates into around $1.69 million – for a total annual revenue of $3.29 million.
Protecting the Criminal Business Model
The addition of what CB TAU calls “access mining” to the existing cryptomining campaign is likely an effort at diversification to shore up profits in the event of a Monero currency value dip (which happened late last year) or the sinkholing of part of Smominru’s infrastructure (which occurred in January 2018).
“This link between cryptomining and obtaining system access…illustrates how the economics of cyberattacks are often subject to the same market fluctuations we see in legal economies and how constant innovation is required for survival among the market’s participants, whether legal or otherwise,” according to the report.
Victims have been predominantly located in Asia Pacific, but the reach extends globally. The total number impacted is estimated to be well over 500,000 machines. As for attribution, CB TAU said that evidence points to the threat actor originating in Russia or Eastern Europe, using components also previously seen in Chinese malware and modified open-source/off-the-shelf tools.
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.