Smominru Uses EternalBlue to Target Crypto-Mining

What Is It?

Smominru (a new piece of miner attack), recently analyzed by Proofpoint researchers, targets the Monero cryptocurrency. They state the attackers have already mined approximately 8,900 Monero. Due to the volatility of cryptocurrency valuations this equates to somewhere between $2.8 and $3.6 million. They are currently mining Monero worth around $8,500 every day.

Recently several articles describe how the massive increase in value of various cryptocurrencies has seen attackers switching focus from ransomware to cryptocurrency mining as it becomes the most lucrative form of malware.

The rise in miner malware is such that, SANS Internet Storm Center handler Kevin Liston opined that he should add an infra-red camera to his incident response toolkit. This is because a computer infected with a miner would use all available computing power and be running hotter than other computers in the same office.

The Smominru miner spreads to vulnerable Microsoft Windows systems by utilizing the leaked NSA EternalBlue exploit (CVE-2017-0144), even though Microsoft released a patch for this in March 2017 (MS17-010).

How Does It Propagate?

As mentioned, the Smominru miner uses the EternalBlue exploit to spread. This highlights the need to have a robust patching policy and ensuring that internet facing systems have all unnecessary services turned off, in this case Windows network file sharing.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detects Smominru as malicious. Regression testing on samples of four different versions of Smominru has shown they would have been detected by BluVector 32, 49 and 50 months prior to their release.

All Threat Reports