2 weeks ago

Cryptocurrency Mining Malware Infected Over Half-Million PCs Using NSA Exploit


2017 was the year of high profile data breaches along with ransomware attacks, although via the beginning of This specific year, we are noticing a faster-paced shift from the cyber threat landscape, as cryptocurrency-related malware will be becoming a well-liked along with profitable choice of cyber criminals.

Several cybersecurity firms are reporting of fresh cryptocurrency mining viruses which are being spread using EternalBlue—the same NSA exploit which was leaked by the hacking group Shadow Brokers along with responsible for the devastating widespread ransomware threat WannaCry.

Researchers via Proofpoint discovered a massive global botnet dubbed “Smominru,” a.k.a Ismo, which will be using EternalBlue SMB exploit (CVE-2017-0144) to infect Windows computers to secretly mine Monero cryptocurrency, worth millions of dollars, for its master.

Active since at least May 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows, according to the researchers.

“Based on the hash power associated with the Monero payment address because of This specific operation, which appeared which This specific botnet was likely twice the size of Adylkuzz,” the researchers said.

The botnet operators have already mined approximately 8,900 Monero, valued at up to $3.6 million, at the rate of roughly 24 Monero per day ($8,500) by stealing computing resources of millions of systems.


The highest number of Smominru infection has been observed in Russia, India, along with Taiwan, the researchers said.

The command along with control infrastructure of Smominru botnet will be hosted on DDoS protection service SharkTech, which was notified of the abuse although the firm reportedly ignored the abuse notifications.

According to the Proofpoint researchers, cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computers along with also using leaked NSA’s RDP protocol exploit, EsteemAudit (CVE-2017-0176), for infection.

“As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like which described here can prove quite lucrative for its operators,” the researchers concluded. 

“The operators of This specific botnet are persistent, use all available exploits to expand their botnet, along with have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators along with the resilience of the botnet along with its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes.”

Another security firm CrowdStrike recently published a blog post, reporting another widespread cryptocurrency fileless malware, dubbed WannaMine, using EternalBlue exploit to infect computers to mine Monero cryptocurrency.

Since which does not download any application to an infected computer, WannaMine infections are harder to detect by antivirus programs. CrowdStrike researchers observed the malware has rendered “some companies unable to operate for days along with weeks at a time.”

Besides infecting systems, cybercriminals are also widely adopting cryptojacking attacks, wherein browser-based JavaScript miners utilise website visitors’ CPUs power to mine cryptocurrencies for monetisation.

Since recently observed cryptocurrency mining malware attacks have been found leveraging EternalBlue, which had already been patched by Microsoft last year, users are advised to keep their systems along with software updated to avoid being a victim of such threats.

Article Categories:
Security Hacks

Leave a Comment

Your email address will not be published. Required fields are marked *

one × three =