Smominru Botnet Hacked 90,000 Windows Computers in Last Month Using EternalBlue Exploit

Threats actors behind the Smominru botnet compromised nearly 90,000 windows computers in last month using EternalBlue exploit and performing brute force attacks on MS-SQL, RDP, Telnet services.

Researcher uncovered that the botnet infected more than 4000 systems, network daily, and take control of it by exploiting the vulnerabilities in the unpatched systems.

Smominru botnet targeting the origins including China, Taiwan, Russia, Brazil, and the US where several thousands of systems infected including education institutions, medical firms, and even some of the cybersecurity companies.

Cybercriminals not focusing on any particular targets, they have initiated the attack and reached victims in various sectors on every system that vulnerable servers.

Smominru botnet distributed with worm capabilities, so if it infects any one of the systems in the network, then move into other networks in the organization.

Cybersecurity firm Guadicode share the reports to GBHackers on Security says ” Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy with a total of 65 infected hosts. “

Image credits: Guardicore

Windows 7 and Windows Server 2008 are the most infected systems with 85% of all infection, and these versions are highly vulnerable to ExternalBlue exploit.

How Does Smominru Botnet Infect the System?

Attackers behind the Smoninru using Powershell script named blueps.txt  that drops the victim’s machine as the first stage of infection and start executing the binaries and also it performs several operations.

Later it creates a new admin user that named admin$ and download the additional scripts to perform the malicious process.

Also it opens the several backdoor from the infected device to perform the perform different operation such as newly-created users, scheduled task.

Smominru botnet disable and blocking the other campaigns in the infected machine and delete the associated file of the existing malicious campaign.

Image credits: Guardicore

“During the infection process, botnet blocks various TCP ports (SMB, RPC) in order to prevent other attackers from breaching its own infected machines”.

Smominru Botnet Worm Module

As we discussed above, A binary files that dropped by blueps.txt contains various malicious programs including worm downloader (u.exe / ups.exe), a Trojan horse (upsupx.exe) and an MBR rootkit (max.exe / ok.exe).

A worm module u.exe is responsible to download the DLL’s from command and control server to scan the network to find the vulnerabilities and report back to the attack.

Attacker using the data to customize the worm and add, modify and remove propagation techniques.

According to Guardicore research, The worm is an executable file downloaded as wpd.jpg and saved locally as msinfo.exe. This is the module responsible for spreading the malicious payloads within the network, using a Python-based EternalBlue exploit and brute-force of multiple Windows services, such as MS-SQL, Telnet, RDP, and more.

Image credits: Guardicore

Another executable file drops the open-source Trojan named PcShare that is capable of download and executes, command and control, screenshot capturing and information stealing and also it primarily used for download the Monecrypto miner.

Threat actors behind this attack used almost 20 servers as a part of the botnet and most of the servers hosted in the US, with some hosted by ISPs in Malaysia and Bulgaria. 

“The spreading of Smominru is heavily based on weak passwords, but it also relies on the existence of EternalBlue vulnerable machines. Unpatched systems allow the campaign to infect countless machines worldwide and propagate inside internal networks.” it’s highly recommended to update the system and apply the necessary patch. Guardcore said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates