Nasty botnet uses WannaCry exploit to mine cryptocurrency from your servers

The Smominru miner botnet has been using the EternalBlue exploit to steal millions of dollars worth of Monero from Windows servers and other machines.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Proofpoint researchers are tracking the Smominru miner botnet, which uses the EternalBlue exploit to turn Windows servers into Monero miners.
  • As cryptocurrency mining grows in popularity for attackers, businesses that fall victim to it may see a negative impact on their critical infrastructure.

A botnet known as Smominru has been using the WannaCry exploit—EternalBlue—to turn Windows servers into cryptocurrency miners. The botnet has captured between $2.8-3.6 million worth of Monero, according to a Proofpoint research report.

At the time of the report, the botnet had mined 24 Monero in a week—worth $8,500 at the time of its publication. While cryptocurrency mining has become a common tool in the hacker's tool belt, the methods of Smominru are novel.

Smominru is a well-documented botnet, Proofpoint researchers wrote, but that fact that it uses Windows Management Infrastructure to carry out its attack is unique. Further, many nodes in Smominru are Windows servers, which could mean businesses are the main victims of the botnet.

SEE: Network security policy (Tech Pro Research)

Cryptocurrency mining is a compute-intensive task. So, if an attacker targets a business's machines, it could lead to a negative performance impact. This could also impact critical business infrastructure, the report said, as the mining will force servers to run closer to capacity and drive up energy usage.

Servers also make a valuable target for this kind of botnet because they rarely, if ever, get turned off. As noted by Danny Palmer from our sister site ZDNet, this leaves much more time available for Monero mining.

As the report also noted, it's inefficient to mine cryptocurrency on a single machine, so attacks like this botnet must be distributed. Smominru is quick to spread, at one point claiming 526,000 nodes among its ranks, the report said.

The Smominru botnet is also large—roughly double the size of the Adylkuzz mining botnet that forced Raspberry Pi machine to mine cryptocurrency.

Since it's based on EternalBlue, Smominru is resilient and difficult to fully shut down. Researchers have made some strides in getting on top of it, but the operators are recovering quickly, the report said.

"Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes," the report said. "We also expect botnets like that described here to become more common and to continue growing in size."

Also see

Image: iStockphoto/mjora

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox