What Is It?
Recently several articles have described how the massive increase in value of various cryptocurrencies has seen attackers switching focus from ransomware to cryptocurrency mining as it becomes the most lucrative form of malware.
The rise in miner malware is such that, SANS Internet Storm Center handler Kevin Liston opined that he should add an infra-red camera to his incident response toolkit, given that a computer infected with a miner would be using all available computing power and therefore be running hotter than other computers in the same office.
One such miner is Smominru, recently analyzed by Proofpoint researchers, which targets the Monero cryptocurrency. They state the attackers have already mined approximately 8,900 Monero, due to the volatility of cryptocurrency valuations this equates to somewhere between $2.8 and $3.6 million and are currently mining Monero worth around $8,500 every day.
The Smominru miner spreads to vulnerable Microsoft Windows systems by utilizing the leaked NSA EternalBlue exploit (CVE-2017-0144), even though Microsoft released a patch for this in March 2017 (MS17-010).
How Does It Propagate?
As mentioned, the Smominru miner uses the EternalBlue exploit to spread. This highlights the need to have a robust patching policy and ensuring that internet facing systems have all unnecessary services turned off, in this case Windows network file sharing.
When/How Did BluVector Detect It?
BluVector’s patented Machine Learning Engine (MLE) detects Smominru as malicious. Regression testing on samples of four different versions of Smominru has shown they would have been detected by BluVector 32, 49 and 50 months prior to their release.