What is the Smominru Botnet?
Though its origins date back to 2017, Smominru is a dangerous botnet that has been making headlines recently as it continues to spread, attacking targets in every industry. Smominru, which also operates under known variants like including Hexmen and Mykings, has infiltrated hundreds of thousands of machines, primarily attacking Windows servers. Smominru is not only resilient, it also poses a treacherous dual threat, capable of both stealing data and cryptomining.
How Does Smominru Work?
Smominru has several methods of infiltration. Commonly, the EternalBlue exploit (also used in WannaCry and NotPetya attacks), which preys on a vulnerability in Microsoft’s SMB protocol, is used. Though this vulnerability has a patch available, it remains prevalent across many networks. Other methods like brute-forcing and credential stuffing attacks are also frequently used to gain access. Smominru maintains its presence through several methods, deploying multiple payloads and creating backdoors.
Once Smominru has achieved entry, it takes over, leeching processing power to create the cryptocurrency, Monero. The owners of the Smominru botnet have managed to generate millions of dollars both due to the size of the botnet, and the types of machines that are infected. Smominru is made up of over 500,000 infected nodes (with some estimates landing at closer to one million) and it targets servers, which not only have far more processing power, but are also never turned off, allowing cryptocurrency to be generated around the clock.
Smominru doesn’t simply utilize a device’s processing power. In its most recent upgrade, it has begun stealing information, often using a Remote Access Trojan (RAT). Typically, credential harvesting is performed, and is later utilized to create backdoors or to further propagate malware by password spraying across the domain into additional services/protocols.
Attacked by Smominru? Here's What to Do
Once a Smominru infection is discovered, removing the infection is relatively straight forward. A basic malware scanner can even work for individual workstations. If multiple systems throughout an organization’s network have been attacked, it may take the security team some time to clear. More recently, Smominru is typically the only malware found during the cleanup process, as the latest versions remove other malware present in the system to eliminate competition from other threat actors.
However, reports show that one in four victims suffered reinfection. This indicates that organizations are not taking the time to solve the real problems that allowed the infection to get through in the first place. Until efforts are made to remediate gaps in an organization’s overall security posture, they will perpetually be at risk.
How to Prevent Smominru Attacks
Since Smominru’s primary focus is still on cryptojacking, organizations need to have solid antivirus protection as their first line of defense. However, you can’t focus just on workstations. Server-side protection is critical, as they are a primary objective for miners looking for large power sources.
Core Security, part of Fortra’ suite of cybersecurity solutions, has been tracking the Smominru botnet, as well as the threat actors who use it to deploy their malware. Core Network Insight uses the threat intelligence gathered by Core Labs and our global sensor network to identify Smominru and other infections inside Fortra’ customer networks based on typical network behavior profiles observed in the wild. Although there is a patch available for EternalBlue, not all machines are capable of using it.
Network Insight is an agentless and OS/platform agnostic compromised device detection solution, which is able to detect Smominru, as well as associated malware infections on machines unable to use the patch, like SCADA devices, point of sale terminals and ATMs, IoT devices, diagnostic imaging machines and mobile medical devices.
While Network Insight can also detect Smominru on devices that can, but have not yet implemented the EternalBlue patch, these devices should be patched as soon as possible, and regular updates should become routine to close vulnerabilities that are remedied with releases of new versions. However, the best way to ensure your organization isn’t leaving other openings to threat actors is through regular penetration testing.
For instance, Core Impact penetration testing software enables organizations to test various tactics and methods that can emulate indicators of compromise (IOCs) seen with the Smominru botnet, like network sniffing, credential dumping, persistence, file modification and deletion, PowerShell, and exfiltration over Command and Control Channels (HTTP, HTTPS, DNS).
Regular pen testing can get to the root of the cause of attacks like Smominru, and remediation efforts like patches, password strengthening, or process changes prevent reinfection, or even from occurring in the first place.
A Suite of Security Solutions Delivers More Peace of Mind
As detailed above, Fortra’ suite of cybersecurity solutions provides the layers of security needed in today’s cyberthreat environment. Another security layer to consider, for businesses large and small, is secure, managed file transfer, such as GoAnywhere MFT. With GoAnywhere in place, critical files are protected both while at rest and while in motion or transfer.
The streamlined, automatic workflows and strong, built-in encryption protocols in GoAnywhere MFT allow organizations to gain better control over their files both inside and outside of the organization, no matter the file size or type. This can help meet compliance and data security requirements and deliver efficiency to business processes.
Is Your Environment Infected?
Download this guide on how to identify compromised devices with certainty and get ahead of threats before it's too late.
Today’s Cyber Threats Require You to Think Like a Hacker
Put on your hacker hoodie and dive into cybersecurity from a different point of view with GoAnywhere MFT’s Think Like a Hacker and Secure Your Data guide. This guide covers seven best practices to keep your data secure.