Image from the Internet
Like the cryptocurrency mining botnets Adylkuzz and Zealot, Smominru uses a powerful attack code developed by the National Security Agency and later published online by a website calling itself Shadow Brokers. Like Zealot, Smominru uses other attack techniques to infect target computers, but in some cases it may fall back on EternalBlue developed by the NSA, presumably propagating from machine to machine in an infected network, or other infection techniques in the absence of a patch. Smominru also uses the Windows administration interface. Proofpoint said the botnet could also have a severe performance impact on the business networks it infects by slowing down the number of servers and raising power costs.
Kafeine said Proofpoint collaborated with other researchers to capture the area that controls Smominru. They also reported illegal activity to MineXMR, the Monero mining pool to which the botnet subscribes. Smominru operators entered the botnet by registering new domains and new addresses for MineXMR, even though the operators may have lost control of more than a third of the botnet.
Earlier this week, researchers from security firm CrowdStrike released their own report of a botnet similar to Smominru. Named WannaMine, it also mines Monero and uses EternalBlue. A CrowdStrike spokesperson said company researchers believe WannaMine is different from Smominru. The botnet contacts different mining pool addresses and hosts their command and control servers with different providers, the researchers said.