The Smominru mining botnet continues to wreck havoc on corporate machines by not only installing cryptominers, but also stealing credentials, installing backdoors, and making system configuration modifications that could affect the proper operation of an infected machine.
Smominru is a wormable malware that spreads using the EternalBlue exploit and by brute forcing RDP, MSSQL, Telnet and other exposed services. Once the botnet gains access to a machine, it will attempt to remove rival malware, secure the box from further infections, and then install cryptomining software, steal login credentials, install backdoors, and spread laterally to other machines.
In 2018, we reported that this botnet had infected over 500,000 machines and earned approximately $2.3 million. According to a new report from Guardicore Labs, the botnet is still heavily active with 90K new victims in August 2019 and 4.7K new infections per day.
To make matters worse, Guardicore has seen that 25% of infected victims were reinfected more than once, showing that machines were not being properly patched and secured after being cleaned.
Smominru statistics
As this worm uses the EternalBlue exploit, the researchers note that most of the infected operating systems are Windows 7 and Windows Server 2008, which include working exploits for this vulnerability.
"Not surprisingly, Windows 7 and Windows Server 2008 are the most infected operating systems, representing 85 percent of all infections," Guardicore Labs stated in their report. "These are Windows versions for which there is an operational EternalBlue exploit available on the internet. Other victim operating systems include Windows Server 2012, Windows XP and Windows Server 2003. These are either systems which have been out of support for many years, or about to be End of ..
Support the originator by clicking the read the rest link below.
