Friday, January 24, 2025
HomeBotnetSmominru Botnet Hacked 90,000 Windows Computers in Last Month Using EternalBlue Exploit

Smominru Botnet Hacked 90,000 Windows Computers in Last Month Using EternalBlue Exploit

Published on

SIEM as a Service

Follow Us on Google News

Threats actors behind the Smominru botnet compromised nearly 90,000 windows computers in last month using EternalBlue exploit and performing brute force attacks on MS-SQL, RDP, Telnet services.

Researcher uncovered that the botnet infected more than 4000 systems, network daily, and take control of it by exploiting the vulnerabilities in the unpatched systems.

Smominru botnet targeting the origins including China, Taiwan, Russia, Brazil, and the US where several thousands of systems infected including education institutions, medical firms, and even some of the cybersecurity companies.

Cybercriminals not focusing on any particular targets, they have initiated the attack and reached victims in various sectors on every system that vulnerable servers.

Smominru botnet distributed with worm capabilities, so if it infects any one of the systems in the network, then move into other networks in the organization.

Cybersecurity firm Guadicode share the reports to GBHackers on Security says ” Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy with a total of 65 infected hosts. “

Image credits: Guardicore

Windows 7 and Windows Server 2008 are the most infected systems with 85% of all infection, and these versions are highly vulnerable to ExternalBlue exploit.

How Does Smominru Botnet Infect the System?

Attackers behind the Smoninru using Powershell script named blueps.txt  that drops the victim’s machine as the first stage of infection and start executing the binaries and also it performs several operations.

Later it creates a new admin user that named admin$ and download the additional scripts to perform the malicious process.

Also it opens the several backdoor from the infected device to perform the perform different operation such as newly-created users, scheduled task.

Smominru botnet disable and blocking the other campaigns in the infected machine and delete the associated file of the existing malicious campaign.

Image credits: Guardicore

“During the infection process, botnet blocks various TCP ports (SMB, RPC) in order to prevent other attackers from breaching its own infected machines”.

Smominru Botnet Worm Module

As we discussed above, A binary files that dropped by blueps.txt contains various malicious programs including worm downloader (u.exe / ups.exe), a Trojan horse (upsupx.exe) and an MBR rootkit (max.exe / ok.exe).

A worm module u.exe is responsible to download the DLL’s from command and control server to scan the network to find the vulnerabilities and report back to the attack.

Attacker using the data to customize the worm and add, modify and remove propagation techniques.

According to Guardicore research, The worm is an executable file downloaded as wpd.jpg and saved locally as msinfo.exe. This is the module responsible for spreading the malicious payloads within the network, using a Python-based EternalBlue exploit and brute-force of multiple Windows services, such as MS-SQL, Telnet, RDP, and more.

Image credits: Guardicore

Another executable file drops the open-source Trojan named PcShare that is capable of download and executes, command and control, screenshot capturing and information stealing and also it primarily used for download the Monecrypto miner.

Threat actors behind this attack used almost 20 servers as a part of the botnet and most of the servers hosted in the US, with some hosted by ISPs in Malaysia and Bulgaria. 

“The spreading of Smominru is heavily based on weak passwords, but it also relies on the existence of EternalBlue vulnerable machines. Unpatched systems allow the campaign to infect countless machines worldwide and propagate inside internal networks.” it’s highly recommended to update the system and apply the necessary patch. Guardcore said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...

HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of...

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...