Microsoft Windows servers around the globe are playing host to a mining botnet known as Smominru Monero, which may have made as much as US$3.6 million for its operators based on the current value of the Monero cryptocurrency. The security company Proofpoint said in a blog post that since May last year, its researchers had been monitoring the miner that was infecting new Windows servers using the EternalBlue exploit, malware crafted by the NSA and leaked on the Web in April 2017 by a group known as the Shadow Brokers.

While Proofpoint researcher Kafeine said that the miner, which had been christened as Smominru or Ismo, was well-known, the fact that it was using Windows Management Infrastructure was unusual. “Based on the hash power associated with the Monero payment address for this operation, it appears that this botnet was likely twice the size of Adylkuzz,” he wrote.

Other researchers had noted attacks via Microsoft’s SQL Server and EsteemAudit, an RDP vulnerability. A sinkholing operation had provided an estimate of 526,000 infected Windows hosts, most of which were in Russia, India and Taiwan.

Kafeine said Proofpoint had contacted the mining pool MineXMR to request that that the existing Monero address associated with Smominru be removed, but though this was done after several days, the botnet operators were observed registering new domains and mining to a new address on the same mining pool. On the bright side, the operators may have lost control over a third of the botnet as a result.

“Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity,” Kafeine said. “The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations.” Read more from…

thumbnail courtesy of