A massive cryptocurrency mining botnet has generated as much as $3.6 million worth of the digital coin known as Monero since last May, a researcher said Wednesday. The windfall isn’t the only noteworthy thing about the botnet. Dubbed Smominru, it’s also significant for the 526,000 computers it has infected and for the ability of its operators to withstand takedown attempts by whitehats.
“As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically,” a researcher who uses the pseudonym Kafeine wrote in a blog post published by security firm Proofpoint. “While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators.”
Like cryptocurrency mining botnets known as Adylkuzz and Zealot, Smominru appropriates potent exploit code developed by the National Security Agency and later published online by a group calling itself the Shadow Brokers.
Like Zealot, Smominru uses other exploit techniques to infect targeted computers, but it can fall back on the NSA-developed EternalBlue in certain cases, presumably for spreading from machine to machine inside infected networks or when other infection techniques fail on a machine that hasn’t been patched. Smominru also makes use of the Windows Management Interface. Proofpoint said that the botnet is also likely exacting a punishing performance impact on the business networks it infects by slowing down servers and driving up electricity costs.
Kafeine said that Proofpoint worked with other researchers to seize control of the domains used to control Smominru. They also reported the illegal activity to MineXMR, the Monero mining pool the botnet subscribed to. Smominru operators held on to the botnet by registering new domains and new addresses for MineXMR, although it’s possible the operators may have lost control of more than a third of the botnet in the process.
But wait, there’s more
Earlier this week, researchers from security firm CrowdStrike issued their own report on a botnet that bears some resemblance to Smominru. Named WannaMine, it also mines Monero and uses EternalBlue. A CrowdStrike spokeswoman said company researchers believe WannaMine is distinct from Smominru. The researchers said the botnets contact different mining pool addresses and host their command and control servers with different providers.
Another similarity between WannaMine and Smominru is the destructive effect they have on the machines and networks they infect.
“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time,” company researchers wrote. “The tools have caused systems and applications to crash due to such high CPU utilization speeds.”