Thursday, March 28, 2024

Smominru Botnet Hacked 90,000 Windows Computers in Last Month Using EternalBlue Exploit

Threats actors behind the Smominru botnet compromised nearly 90,000 windows computers in last month using EternalBlue exploit and performing brute force attacks on MS-SQL, RDP, Telnet services.

Researcher uncovered that the botnet infected more than 4000 systems, network daily, and take control of it by exploiting the vulnerabilities in the unpatched systems.

Smominru botnet targeting the origins including China, Taiwan, Russia, Brazil, and the US where several thousands of systems infected including education institutions, medical firms, and even some of the cybersecurity companies.

Cybercriminals not focusing on any particular targets, they have initiated the attack and reached victims in various sectors on every system that vulnerable servers.

Smominru botnet distributed with worm capabilities, so if it infects any one of the systems in the network, then move into other networks in the organization.

Cybersecurity firm Guadicode share the reports to GBHackers on Security says ” Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy with a total of 65 infected hosts. “

Image credits: Guardicore

Windows 7 and Windows Server 2008 are the most infected systems with 85% of all infection, and these versions are highly vulnerable to ExternalBlue exploit.

How Does Smominru Botnet Infect the System?

Attackers behind the Smoninru using Powershell script named blueps.txt  that drops the victim’s machine as the first stage of infection and start executing the binaries and also it performs several operations.

Later it creates a new admin user that named admin$ and download the additional scripts to perform the malicious process.

Also it opens the several backdoor from the infected device to perform the perform different operation such as newly-created users, scheduled task.

Smominru botnet disable and blocking the other campaigns in the infected machine and delete the associated file of the existing malicious campaign.

Image credits: Guardicore

“During the infection process, botnet blocks various TCP ports (SMB, RPC) in order to prevent other attackers from breaching its own infected machines”.

Smominru Botnet Worm Module

As we discussed above, A binary files that dropped by blueps.txt contains various malicious programs including worm downloader (u.exe / ups.exe), a Trojan horse (upsupx.exe) and an MBR rootkit (max.exe / ok.exe).

A worm module u.exe is responsible to download the DLL’s from command and control server to scan the network to find the vulnerabilities and report back to the attack.

Attacker using the data to customize the worm and add, modify and remove propagation techniques.

According to Guardicore research, The worm is an executable file downloaded as wpd.jpg and saved locally as msinfo.exe. This is the module responsible for spreading the malicious payloads within the network, using a Python-based EternalBlue exploit and brute-force of multiple Windows services, such as MS-SQL, Telnet, RDP, and more.

Image credits: Guardicore

Another executable file drops the open-source Trojan named PcShare that is capable of download and executes, command and control, screenshot capturing and information stealing and also it primarily used for download the Monecrypto miner.

Threat actors behind this attack used almost 20 servers as a part of the botnet and most of the servers hosted in the US, with some hosted by ISPs in Malaysia and Bulgaria. 

“The spreading of Smominru is heavily based on weak passwords, but it also relies on the existence of EternalBlue vulnerable machines. Unpatched systems allow the campaign to infect countless machines worldwide and propagate inside internal networks.” it’s highly recommended to update the system and apply the necessary patch. Guardcore said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles