Warning over powerful Smominru crypto mining botnet

Cybersecurity experts have warned a powerful botnet that mines crypto on victims’ networks is spreading quickly.

The Smominru botnet, and variants Hexmen and Mykings, infects hardware and steals its victims’ credentials before installing a Trojan module and a cryptominer which propagates inside the network.

During August, the Smominru botnet infected 90,000 machines around the world, with an infection rate of 4,700 machines per day. Countries with several thousands of infected machines include China, Taiwan, Russia, Brazil, and the US.

As the attacks were untargeted and did not discriminate against industries or targets, the malware reached victims in various sectors. The largest network belongs to a healthcare provider in Italy with a total of 65 infected hosts.

Chillingly, the virus is so sophisticated that many machines were reinfected even after removing Smominru, according to a report by cybersecurity group Guardicore.

Authors Ophir Harpaz and Daniel Goldberg wrote: “When discussing worms, there are no interesting and uninteresting targets – every vulnerable server is under attack.

“Once it gains a foothold, Smominru attempts to move laterally and infect as many machines as possible inside the organisation. Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected.”

The report added: “This suggests that these systems remain unpatched, and therefore vulnerable to this botnet or other similar attackers.

“Since patching is often complicated in large data centers, it is highly important to use additional security controls, such as applying network segmentation and minimising the number of internet-facing servers.”

The infected machines are primarily small servers with 1-4 CPU cores, but there were also some larger servers. One infected machine was running on a 32-core server.

“Unfortunately, this demonstrates that while many companies spend money on expensive hardware, they are not taking basic security measures, such as patching their running operating system,” the report added.