Smominru Botnet

Smominru, an infamous cryptocurrency-mining and credential-stealing botnet, has become one of the rapidly spreading computer viruses that is now infecting over 90,000 machines each month around the world.

Though the campaigns that are hacking computers with the Smominru botnet have not been designed to go after targets with any specific interest, the latest report from Guardicore Labs researchers shed light on the nature of the victims and the attack infrastructure.

According to the researchers, just last month, more than 4,900 networks were infected by the worm without any discrimination, and many of these networks had dozens of internal machines infected.

Active since 2017, Smominru botnet compromises Windows machines primarily using EternalBlue, an exploit that was created by the U.S. National Security Agency but later got leaked to the public by the Shadow Brokers hacking group and then most famously used by the hard-hitting WannaCry ransomware attack in 2016.

A month ago, it was also revealed that the operators behind the botnet upgraded Smominru to add a data harvesting module and Remote Access Trojan to their botnet’s cryptocurrency mining code.

The botnet is infecting vulnerable machines-the majority of which are running Windows 7 and Windows Server 2008-at a rate of 4,700 machines per day with several thousands of infections detected in countries including China, Taiwan, Russia, Brazil, and the U.S. Majority of the infected machines discovered were primarily small servers, with 1-4 CPU cores, leaving most of them unusable due to over-utilization of their CPUs with the mining process.

Guardicore researchers have also released a complete list of IoCs and a free Powershell script on GitHub that you can run from your Windows command-line interface to check if your system is infected with the Smominru worm or not.