Though its origins date back to 2017, Smominru is a dangerous botnet that has been making headlines recently as it continues to spread, attacking targets in every industry. Smominru, which also operates under known variants like including Hexmen and Mykings, has infiltrated hundreds of thousands of machines, primarily attacking Windows servers. Smominru is not only resilient, it also poses a treacherous dual threat, capable of both stealing data and cryptomining.
How Does Smominru Work?
Smominru has several methods of infiltration. Commonly, the EternalBlue exploit (also used in WannaCry and NotPetya attacks), which preys on a vulnerability in Microsoft’s SMB protocol, is used. Though this vulnerability has a patch available, it remains prevalent across many networks. Other methods like brute-forcing and credential stuffing attacks are also frequently used to gain access. Smominru maintains its presence through several methods, deploying multiple payloads and creating backdoors.
Once Smominru has achieved entry, it takes over, leeching processing power to create the cryptocurrency Monero. The owners of the Smominru botnet have managed to generate millions of dollars both due to the size of the botnet, and the types of machines that are infected. Smominru is made up of over 500,000 infected nodes (with some estimates landing at closer to one million) and it targets servers, which not only have far more processing power, but are also never turned off, allowing cryptocurrency to be generated around the clock.
Smominru doesn’t simply utilize a device’s processing power. In its most recent upgrade, it has begun stealing information, often using a Remote Access Trojan (RAT). Typically, credential harvesting is performed, and are later utilized to create backdoors or to further propagate malware by password spraying across the domain into additional services/protocols.
What to do After a Smominru Attack
Once a Smominru infection is discovered, removing the infection is relatively straight forward. A basic malware scanner can even work for individual workstations. If multiple systems throughout an organization’s network have been attacked, it may take the security team some time to clear. More recently, Smominru is typically the only malware found during the cleanup process, as the latest versions remove other malware present in the system to eliminate competition from other threat actors.
However, reports show that one in four victims suffered reinfection. This indicates that organizations are not taking the time to solve the real problems that allowed the infection to get through in the first place. Until efforts are made to remediate gaps in an organization’s overall security posture, they will perpetually be at risk.
How to Prevent Smominru Attacks
Since Smominru’s primary focus is still on cryptojacking, organizations need to have solid antivirus protection as their first line of defense. However, you can’t focus just on workstations. Server side protection is critical, as they are a primary objective for miners looking for large power sources.
Core Security has been tracking the Smominru botnet, as well as the threat actors who use the it to deploy their malware. Core Network Insight uses the threat intelligence gathered by Core Labs and our global sensor network to identify Smominru and other infections inside our customer networks based on typical network behavior profiles observed in the wild. Though there is a patch available for EternalBlue, not all machines are capable of using it. Network Insight is an agentless, and OS/platform agnostic compromised device detection solution which is able to detect Smominru, as well as associated malware infections on machines unable to use the patch, like SCADA devices, point of sale terminals and ATMs, IoT devices, diagnostic imaging machines and mobile medical devices.
While Network Insight can also detect Smominru on devices that can, but have not yet implemented the EternalBlue patch, these devices should be patched as soon as possible, and regular updates should become routine to close vulnerabilities that are remedied with releases of new versions. However, the best way to ensure your organization isn’t leaving other openings to threat actors is through regular penetration testing.
For instance, Core Impact penetration testing software enables the its users allow organizations to test various tactics and methods that can emulate indicators of compromise (IOCs) seen with the Smominru botnet, like network sniffing, credential dumping, persistence, file modification and deletion, powershell, and exfiltration over Command and Control Channels (HTTP, HTTPS, DNS). Core Security added the EternalBlue exploit to Core Impact weeks after the initial release of the exploit in 2017. Since then, Core Security has added additional modules to enhance the capabilities of the exploit.
Pen testing and pen testing solutions like Core Impact can also uncover other weaknesses in an organization’s environment, like weak passwords, which leave organizations at risk to brute forcing attacks. Regular testing can get to the root of the cause of attacks like Smominru, and remediation efforts like patches, password strengthening, or process changes prevent reinfection, or even from occurring in the first place.