WannaMine and Smominru: The cryptocurrency botnets causing havoc

5 Feb 2018

Monero coin logo. Image: Wit Olszewski/Shutterstock

The cryptocurrency boom is seeing cyber-criminals take advantage.

Cryptocurrencies such as bitcoin, Ethereum and Monero are growing rapidly in popularity, as the public interest in the area continues to rise.

Along with a wider knowledge of cryptocurrencies among the general public naturally comes a slew of curious cyber-criminals looking to rake in a profit – and fast.

Smominru explained

The WannaCry cyberattack in summer 2017 crippled thousands of computers in a global ransomware attack, shaking up the infosec world. The Windows exploit responsible, dubbed EternalBlue, was leaked by mysterious hacking group Shadow Brokers, but was in fact developed by the NSA.

Now, that very same EternalBlue exploit is being used by criminals to hijack machines in order to mine cryptocurrency.

The Smominru miner botnet turns infected machines into miners of the cryptocurrency Monero, according to research carried out by cybersecurity firm Proofpoint.

It apparently began operating in May of 2017 and has made its owners more than $3.5m since it was established. The beginning of Smominru came just a month or so after EternalBlue leaked.

The botnet is resilient and has remained despite major efforts to take it down. Proofpoint said the botnet includes more than 526,000 infected Windows hosts or nodes, most of which are believed to be servers. In terms of the global distribution of said nodes, the highest instances are in Russia, India and Taiwan.

The botnet operators are described as persistent, finding multiple ways to recover after sinkhole operations – a process undertaken by security researchers to gather information about a botnet and possibly identify it.

According to researchers, Monero is becoming a more attractive currency to those interested. “As bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically.

“While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators.”

Proofpoint warned that the activities look set to continue and that botnets like this will grow in size and frequency in the future.

WannaMine: EternalBlue back in the spotlight

Spanish security firm Panda Security was the first to draw attention to WannaMine, with its researchers describing these types of exploits as “a booming business”.

It doesn’t lock users out of their computer, but security firm CrowdStrike explained that WannaMine could still wreak havoc on businesses, reporting that the malware is “rendering some companies unable to operate for days and weeks at a time”. The company wrote: “In one case, a client informed CrowdStrike that nearly 100pc of its environment was rendered unusable due to overutilisation of systems’ CPUs.”

WannaMine can infect a computer by the user clicking on a malicious link in an email or on a webpage. Once the script has infected the computer, it uses PowerShell and Windows Management Instrumentation to carry out its work.

WannaMine first uses a credential harvester called Mimikatz and if this is not successful, the EternalBlue exploit is deployed.

There had previously been a miner botnet dubbed ‘Adylkuzz’ but WannaMine is fileless, making it much more sophisticated. Instead of installing an app, WannaMine works by taking advantage of tools already installed on machines and confusing antivirus software in the process.

This botnet is also distinct from Smominru as it contacts a different mining pool address and uses different servers.

The popularity of cryptocurrencies is not close to waning, so expect to see more companies being hit by massive botnets threatening their critical business processes.

Monero coin logo. Image: Wit Olszewski/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects