As the cryptocurrency craze continues to surge among users, despite the unpredictable and volatile nature of digital currencies, opportunistic cybercriminals are constantly developing fresh techniques and attacks to target the market. Security researchers have now discovered a massive global botnet dubbed "Smominru" that has been secretly mining millions of dollars worth of cryptocurrency for its operators for months.
According to Proofpoint researchers, the botnet has been active since May 2017 and has infected over 526,000 Windows hosts so far using the EternalBlue exploit (CVE-2017-0144) developed by the US National Security Agency (NSA). The exploit had been leaked by the hacking group Shadow Brokers in April last year.
Researchers said the Monero miner's use of Windows Management Infrastructure is "unusual" and different from other cryptomining malware. Based on the hashpower linked to the Monero payment address for this bot, they believe Smominru is likely twice the size of the cryptocurrency miner Adylkuzz.
Over the past few months, the operators have mined about 8,900 Monero ($2.45m, £1.73m at current rates) at a rate of 24 Monero ($6,616, £4,664) per week.
"At least 25 hosts were conducting attacks via EternalBlue to infect new nodes and increase the size of the botnet," researchers said in a blog post published on Wednesday, 31 January. "These nodes, most of which are likely servers, are located across the globe, with the majority in Russia, India and Taiwan.
Smominru's command and control infrastructure is hosted behind DDoS protection company SharkTech, which has been notified by the researchers. They have also reached out to MineXMR to ban the Monero address linked to Smominru.
"The mining pool reacted several days after the beginning of the operation, after which we observed the botnet operators registering new domains and mining to a new address on the same pool. It appears that the group may have lost control over one-third of the botnet in the process," Proofpoint noted.
Although cybercriminals have often opted for cryptocurrencies in underground markets to evade detection and cover their tracks, experts have observed and predicted a continued rise in the use of cryptocurrency miners, cryptojacking and malware attacks, and web-based mining.
"As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators," researchers said.
They also warned that cryptojacking attacks and the exploitation of high-performance CPU power to mine digital currencies could have a devastating impact on businesses in terms of both cost and energy usage.
"The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations," researchers added. "We also expect botnets like that described here to become more common and to continue growing in size."