Smominru Monero mining botnet making millions for operators

January 31, 2018
Kafeine

Overview

Even with recent volatility in the price of most cryptocurrencies, especially Bitcoin, interest among mainstream users and the media remains high. At the same time, Bitcoin alternatives like Monero and Ethereum continue their overall upward trend in value (Figure 1), putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous transactions. Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which has earned millions of dollars for its operators.

Figure 1A

Figure 1B

Figure 1: Monero cryptocurrency values (top) and relative values of major cryptocurrencies, including Bitcoin, over the past year (bottom)

Analysis

Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo [6]) has been well-documented  [1] [2] [3] [4] [5] [10], so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware.

The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz [9]. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week (Figure 2).

Figure 2

Figure 2: Smominru Stats and Payments on the MineXMR mining pool

We could also see that the average hash rate to date this year was quite high (Figure 3):

Figure 3

Figure 3: Smominru hash rate history on MineXMR

At least 25 hosts were conducting attacks via EternalBlue (CVE-2017-0144 SMB) to infect new nodes and increase the size of the botnet. The hosts all appear to sit behind the network autonomous system AS63199. Other researchers also reported attacks via SQL Server [3], and we believe the actors are also likely using EsteemAudit (CVE-2017-0176 RDP), like most other EternalBlue attackers. The botnet’s command and control (C&C) infrastructure is hosted behind SharkTech, who we notified of the abuse but did not receive a reply.

With the help of abuse.ch [7] and the ShadowServer Foundation [8], we conducted a sinkholing operation to determine the botnet size and location of the individual nodes. The botnet includes more than 526,000 infected Windows hosts, most of which we believe are servers. These nodes are distributed worldwide but we observed the highest numbers in Russia, India, and Taiwan (Figures 4 and 5).

Figure 4

Figure 4: Geographic distribution of Smominru nodes

Figure 5

Figure 5: Concentration of Smominru nodes worldwide

We contacted MineXMR to request that the current Monero address associated with Smominru be banned. The mining pool reacted several days after the beginning of the operation, after which we observed the botnet operators registering new domains and mining to a new address on the same pool. It appears that the group may have lost control over one third of the botnet in the process (Figure 6).

Figure 6

Figure 6: Smominru adapting to the sinkholing and returning to two thirds of its hash rate with a new Monero mining address

Figure 7

Figure 7: Smominru statistics and payments associated with their new mining address

Conclusion

Cryptocurrencies have been used by cybercriminals for years in underground markets, but in the last year, we have observed standalone coin miners and coin mining modules in existing malware proliferate rapidly. As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators.

Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size.

 

Acknowledgement

We would like to thank abuse.ch and ShadowServer for their help.

References

[1] https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/

[2] http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/

[3] https://www.guardicore.com/2017/12/beware-the-hex-men/ (Taylor)

[4] https://blogs.yahoo.co.jp/fireflyframer/34858380.html

[5] https://www.77169.com/html/158742.html

[6] https://www.reddit.com/r/antivirus/comments/6maxrt/tenacious_malware_called_ismolsmo/

[7] https://abuse.ch/

[8] https://www.shadowserver.org/

[9] https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

[10] http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

down.oo000oo[.club:8888 | 209.58.186[.]145

domain:port|IP

Smominru C&C (Binary Server)

www.cyg2016[.xyz:8888 | 103.95.29[.]8

domain:port|IP

Smominru C&C

down.mys2016[.info:8888 | 103.95.29[.]8

domain:port|IP

Smominru C&C (Binary Server)

wmi.mykings.top[.info:8888 | 45.58.140[.]194

domain:port|IP

Smominru C&C (WMI call)

wmi.oo000oo[.club:8888 | 45.58.140[.]194

domain:port|IP

Smominru C&C (WMI call)

xmr.5b6b7b[.ru:8888 | 45.58.140[.]194

domain:port|IP

Smominru C&C

64.myxmr[.pw:8888 | 170.178.171[.]162

domain:port|IP

Smominru C&C (binary server)

wmi.my0709[.xyz:8888 | 103.95.30[.]26

domain:port|IP

Smominru C&C (WMI call)

Sinkholed domain

ftp.ruisgood[.ru:21 | 68.64.166[.]82

domain:port|IP

Smominru binary server

ftp.oo000oo[.me:21 | 68.64.166[.]82

domain:port|IP

Smominru binary server

ftp.ftp0118[.info:21 | 68.64.166[.]82

domain:port|IP

Smominru binary server

js.mys2016[.info:280 | 27.255.79[.]151

domain:port|IP

Smominru binary server

down.my0709[.xyz | 103.95.30[.]26

domain:port|IP

Smominru C&C

down.my0115[.ru:8888|103.95.30[.]26

domain:port|IP

Smominru C&C (Binary Server)

wmi.my0115[.ru:8888|103.95.30[.]26

domain:port|IP

Smominru C&C (WMI call)

js.my0115[.ru:8888]

domain:port|IP

Smominru C&C

Xmr.xmr5b[.ru:8888] | 45.58.140[.]194

domain:port|IP

Smominru C&C

64.mymyxmra[.ru:8888] | 170.178.171[.]162

domain:port|IP

Smominru C&C (Binary Server)

Down.down0116[.info] | 198.148.80[.]194

domain|IP

Smominru C&C

67.229.144[.218:8888]/ups.rar

URI

Mirai

198.148.80[.194:8888]/0114.rar

URI

Smominru

103.95.30[.26:8888]/close2.bat

URI

List of tasks to terminate

www.pubyun[.com]/dyndns/getip

URI

IP check

xmr.5b6b7b[.ru:8888]/xmrok.txt

URI

Callback

64.myxmr[.pw:8888]/cudart32_65.dll

URI

Cuda component (?)

64.myxmr[.pw:8888]/md5.txt

URI

File list and their hash

down.my0709[.xyz:8888]/ok.txt

URI

Smominru Callback

wmi.my0709[.xyz:8888]/test.html

URI

Additionnal Commands

da3b2e4da23aae505bf991cb68833d01d0c5b75645d246dfa9b6e403be1798c8

sha256

ups.rar

8ceb370e5f32dd732809c827f8eda38cc9b746d40adea3dca33b8c27ee38eb6f

sha256

EternalBlue dropped

5e15c97546a19759a8397e51e98a2d8168e6e27aff4dc518220459ed3184e4e2

sha256

EternalBlue dropped

2e3f534bd6b7d1cf18dc727820124faed92fb28f1d4626c9658587b9b3c09509

sha256

64.rar

b7f8b5cb8fc7bd5c14105fde118f5ac7a808e590e52f16c70128b4bd28aa4b5a

sha256

0107.rar (Smominru - Coin Miner)

32e0712ff24e5f9ab8ee682a53514c501486f0836ef24125503335d86bd10a4e

sha256

0121.rar (Smominru Coin Miner)

3b1824b41f3853376e21153d9125781dbb57b820d8a9a6cc037f82ea87f50973

sha256

0126.rar (Smominru Coin Miner)

f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d

sha256

0114.rar (Smominru - Coin Miner)

45bbP2muiJHD8Fd5tZyPAfC2RsajyEcsRVVMZ7Tm5qJjdTMprexz6yQ5DVQ1BbmjkMYm9nMid2QSbiGLvvfau7At5V18FzQ

Monero Address

from 2017/09 till 2018-01-13

Mined around 6800 Monero

47Tscy1QuJn1fxHiBRjWFtgHmvqkW71YZCQL33LeunfH4rsGEHx5UGTPdfXNJtMMATMz8bmaykGVuDFGWP3KyufBSdzxBb2

Monero Address

used from before 2017/05 till 2017/09

 

Mined 2000 Monero

43Lm9q14s7GhMLpUsiXY3MH6G67Sn81B5DqmN46u8WnBXNvJmC6FwH3ZMwAmkEB1nHSrujgthFPQeQCFPCwwE7m7TpspYBd

Monero Address

used after 2018-01-14

148.153.34[.]114

IP

Attacking IP (via EB)

118.193.81[.]70

IP

Attacking IP (via EB)

118.193.31[.]14

IP

Attacking IP (via EB)

118.193.28[.]58

IP

Attacking IP (via EB)

164.52.12[.]110

IP

Attacking IP (via EB)

148.153.24[.]98

IP

Attacking IP (via EB)

164.52.13[.]58

IP

Attacking IP (via EB)

148.153.38[.]78

IP

Attacking IP (via EB)

118.193.22[.]58

IP

Attacking IP (via EB)

103.241.229[.]122

IP

Attacking IP (via EB)

148.153.39[.]186

IP

Attacking IP (via EB)

148.153.14[.]246

IP

Attacking IP (via EB)

118.193.31[.]110

IP

Attacking IP (via EB)

118.193.27[.]198

IP

Attacking IP (via EB)

164.52.25[.]106

IP

Attacking IP (via EB)

164.52.1[.]46

IP

Attacking IP (via EB)

148.153.36[.]34

IP

Attacking IP (via EB)

118.193.21[.]186

IP

Attacking IP (via EB)

164.52.12[.]162

IP

Attacking IP (via EB)

148.153.24[.]106

IP

Attacking IP (via EB)

148.153.44[.]46

IP

Attacking IP (via EB)

164.52.11[.]222

IP

Attacking IP (via EB)

118.193.29[.]6

IP

Attacking IP (via EB)

148.153.8[.]86

IP

Attacking IP (via EB)

164.52.1[.]14

IP

Attacking IP (via EB)

 

ET and ETPRO Suricata/Snort Signatures

2829231 || ETPRO TROJAN Win32/Smominru Coinminer Checkin

2804781 || ETPRO POLICY DynDNS IP Check getip

2018959 || ET POLICY PE EXE or DLL Windows file download HTTP

2015744 || ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)

2022886 || ET POLICY Crypto Coin Miner Login

2024789 || ET POLICY DNS request for Monero mining pool

2829329 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-17 1)


Thanks for subscribing.