A new monero miner named Smominru found spreads using the EternalBlue Exploit and have already infected more than 500,000 computers.
Researchers from Proofpoint discovered that hackers have already mined approximately 8,900 Monero which is valued between $2.8M and $3.6M. Each day the botnet mined 24 monero with an average of $8,500 this week.
“Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo ) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware.”
Researchers also said that at least 25 nodes were conducting attacks via EternalBlue (CVE-2017-0144) to infect new nodes and increase the size of the botnet and hosts all appear to sit behind the network autonomous system AS63199.
The Proofpoint team conducted a sinkholing operation to determine the botnet size and location of the individual nodes with the help of abuse.ch and the ShadowServer Foundation.
They discovered that the botnet includes more than 526,000 infected Windows hosts in which most of them are believed to be servers.
The nodes were distributed worldwide, and highest numbers were observed in countries like Russia, India, and Taiwan.
“Most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity.”
Researchers also warned that the attackers are using all available exploit to spread their botnet and have also found multiple ways to recover after sinkhole operations.
There were reports of other attacks via SQL server using EsteemAudit(CVE-2017-0176), an exploit which uses vulnerabilities in RDP on Windows Server 2003 and Windows XP.