Friday, March 29, 2024

Smominru Botnet Hacked 90,000 Windows Computers in Last Month Using EternalBlue Exploit

Threats actors behind the Smominru botnet compromised nearly 90,000 windows computers in last month using EternalBlue exploit and performing brute force attacks on MS-SQL, RDP, Telnet services.

Researcher uncovered that the botnet infected more than 4000 systems, network daily, and take control of it by exploiting the vulnerabilities in the unpatched systems.

Smominru botnet targeting the origins including China, Taiwan, Russia, Brazil, and the US where several thousands of systems infected including education institutions, medical firms, and even some of the cybersecurity companies.

Cybercriminals not focusing on any particular targets, they have initiated the attack and reached victims in various sectors on every system that vulnerable servers.

Smominru botnet distributed with worm capabilities, so if it infects any one of the systems in the network, then move into other networks in the organization.

Cybersecurity firm Guadicode share the reports to GBHackers on Security says ” Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy with a total of 65 infected hosts. “

Image credits: Guardicore

Windows 7 and Windows Server 2008 are the most infected systems with 85% of all infection, and these versions are highly vulnerable to ExternalBlue exploit.

How Does Smominru Botnet Infect the System?

Attackers behind the Smoninru using Powershell script named blueps.txt  that drops the victim’s machine as the first stage of infection and start executing the binaries and also it performs several operations.

Later it creates a new admin user that named admin$ and download the additional scripts to perform the malicious process.

Also it opens the several backdoor from the infected device to perform the perform different operation such as newly-created users, scheduled task.

Smominru botnet disable and blocking the other campaigns in the infected machine and delete the associated file of the existing malicious campaign.

Image credits: Guardicore

“During the infection process, botnet blocks various TCP ports (SMB, RPC) in order to prevent other attackers from breaching its own infected machines”.

Smominru Botnet Worm Module

As we discussed above, A binary files that dropped by blueps.txt contains various malicious programs including worm downloader (u.exe / ups.exe), a Trojan horse (upsupx.exe) and an MBR rootkit (max.exe / ok.exe).

A worm module u.exe is responsible to download the DLL’s from command and control server to scan the network to find the vulnerabilities and report back to the attack.

Attacker using the data to customize the worm and add, modify and remove propagation techniques.

According to Guardicore research, The worm is an executable file downloaded as wpd.jpg and saved locally as msinfo.exe. This is the module responsible for spreading the malicious payloads within the network, using a Python-based EternalBlue exploit and brute-force of multiple Windows services, such as MS-SQL, Telnet, RDP, and more.

Image credits: Guardicore

Another executable file drops the open-source Trojan named PcShare that is capable of download and executes, command and control, screenshot capturing and information stealing and also it primarily used for download the Monecrypto miner.

Threat actors behind this attack used almost 20 servers as a part of the botnet and most of the servers hosted in the US, with some hosted by ISPs in Malaysia and Bulgaria. 

“The spreading of Smominru is heavily based on weak passwords, but it also relies on the existence of EternalBlue vulnerable machines. Unpatched systems allow the campaign to infect countless machines worldwide and propagate inside internal networks.” it’s highly recommended to update the system and apply the necessary patch. Guardcore said.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles