2017 was the year of high profile data breaches as well as ransomware attacks, however through the beginning of This kind of year, we are noticing a faster-paced shift inside the cyber threat landscape, as cryptocurrency-related malware is actually becoming a common as well as profitable choice of cyber criminals.
Several cybersecurity firms are reporting of fresh cryptocurrency mining viruses that will are being spread using EternalBlue—the same NSA exploit that will was leaked by the hacking group Shadow Brokers as well as responsible for the devastating widespread ransomware threat WannaCry.
Researchers through Proofpoint discovered a massive global botnet dubbed “Smominru,” a.k.a Ismo, that will is actually using EternalBlue SMB exploit (CVE-2017-0144) to infect Windows computers to secretly mine Monero cryptocurrency, worth millions of dollars, for its master.
Active since at least May 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows, according to the researchers.
“Based on the hash power associated with the Monero payment address because of This kind of operation, This kind of appeared that will This kind of botnet was likely twice the size of Adylkuzz,” the researchers said.
The botnet operators have already mined approximately 8,900 Monero, valued at up to $3.6 million, at the rate of roughly 24 Monero per day ($8,500) by stealing computing resources of millions of systems.
The highest number of Smominru infection has been observed in Russia, India, as well as Taiwan, the researchers said.
The command as well as control infrastructure of Smominru botnet is actually hosted on DDoS protection service SharkTech, which was notified of the abuse however the firm reportedly ignored the abuse notifications.
According to the Proofpoint researchers, cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computers as well as also using leaked NSA’s RDP protocol exploit, EsteemAudit (CVE-2017-0176), for infection.
“As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that will described here can prove quite lucrative for its operators,” the researchers concluded.
“The operators of This kind of botnet are persistent, use all available exploits to expand their botnet, as well as have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators as well as the resilience of the botnet as well as its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes.”
Another security firm CrowdStrike recently published a blog post, reporting another widespread cryptocurrency fileless malware, dubbed WannaMine, using EternalBlue exploit to infect computers to mine Monero cryptocurrency.
Since This kind of does not download any application to an infected computer, WannaMine infections are harder to detect by antivirus programs. CrowdStrike researchers observed the malware has rendered “some companies unable to operate for days as well as weeks at a time.”
Since recently observed cryptocurrency mining malware attacks have been found leveraging EternalBlue, which had already been patched by Microsoft last year, users are advised to keep their systems as well as software updated to avoid being a victim of such threats.