Crypto-mining malware spreading via EternalBlue exploit

Over 500,000 Windows machines infected with new Monero mining software.

More than 526,000 Windows hosts – mostly Windows servers – have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint.

Posted on InfoSecurity | By Michael Hill

In a blog on its website Proofpoint, having been monitoring the miner since the end of May 2017, explained that it spreads using the EternalBlue exploit (CVE-2017-0144), and whilst Smominru has been well-documented, its use of Windows Management Infrastructure is unusual for coin mining malware.

Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” the blog reads. “The operators had already mined approximately 8900 Monero (valued this week between $2.8m and $3.6m). Each day, the botnet mined roughly 24 Monero, worth an average of $8500 this week.

At least 25 hosts were conducting attacks via EternalBlue (CVE-2017-0144 SMB) to infect new nodes and increase the size of the botnet, Proofpint added, with the hosts appearing to sit behind the network autonomous system AS63199.

Leave a comment

%d bloggers like this: