Smominru Botnet Infects Thousands of Hosts Daily

The Smominru botnet continues to spread at a fast pace, infecting around 4,700 new hosts daily during the month of August, Guardicore Labs reports.


Active since 2017, the botnet was initially detailed in early 2018, when it had already infected over half a million machines, focusing on cryptocurrency mining. Upon infection, the malware also attempts to steal users’ credentials and to drop an additional Trojan module.


Also referred to as Hexmen and Mykings, Smominru has been targeting vulnerable Windows machines using an EternalBlue exploit, as well as employing brute-force attacks on services such as MS SQL, RDP, Telnet and more.


What Guardicore Labs’ security researchers noticed when analyzing the botnet’s activity was that some of the machines were being reinfected after Smominru was removed from them, suggesting that they remained exposed due to the lack of adequate patching.


Access to one of the attackers’ core servers provided Guardicore Labs with insight into the type of information they logged on each infected host, including external and internal IP addresses, operating system information, CPU load, and running processes. The logs also revealed attempts to steal credentials using Mimikatz.


In August, Smominru managed to infect 90,000 machines worldwide, at a pace of 4,700 systems per day, with China, Taiwan, Russia, Brazil and the United States hit the most. Among victims, the researchers found US-based higher-education institutions, medical firms, and cyber security companies.


Following the initial compromise, the botnet attempts to move laterally within the environment. Thus, it managed to affect over 4,900 networks in a month, with many of them having dozens of internal machines infected (a healthcare provider in Italy had a total of 65 in ..

Support the originator by clicking the read the rest link below.