Smominru Botnet Hacked 90,000 Windows Computers in Last Month Using EternalBlue Exploit

Threats actors behind the Smominru botnet compromised nearly 90,000 windows computers in last month using EternalBlue exploit and performing brute force attacks on MS-SQL, RDP, Telnet services.

Researcher uncovered that the botnet infected more than 4000 systems, network daily, and take control of it by exploiting the vulnerabilities in the unpatched systems.

Smominru botnet targeting the origins including China, Taiwan, Russia, Brazil, and the US where several thousands of systems infected including education institutions, medical firms, and even some of the cybersecurity companies.

Cybercriminals not focusing on any particular targets, they have initiated the attack and reached victims in various sectors on every system that vulnerable servers.

Smominru botnet distributed with worm capabilities, so if it infects any one of the systems in the network, then move into other networks in the organization.

Cybersecurity firm Guadicode share the reports to GBHackers on Security says ” Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy with a total of 65 infected hosts. “

Image credits: Guardicore

Windows 7 and Windows Server 2008 are the most infected systems with 85% of all infection, and these versions are highly vulnerable to ExternalBlue exploit.

How Does Smominru Botnet Infect the System?

Attackers behind the Smoninru using Powershell script named blueps.txt  that drops the victim’s machine as the first stage of infection and start executing the binaries and also it performs several operations.

Later it creates a new admin user that named admin$ and download the additional scripts to perform the malicious process.

Also it opens the several backdoor from the infected device to perform the perform different operation such as newly-created users, scheduled task.

Smominru botnet disable and blocking the other campaigns in the infected machine and delete the associated file of the existing malicious campaign.

Image credits: Guardicore

“During the infection process, botnet blocks various TCP ports (SMB, RPC) in order to prevent other attackers from breaching its own infected machines”.

Smominru Botnet Worm Module

As we discussed above, A binary files that dropped by blueps.txt contains various malicious programs including worm downloader (u.exe / ups.exe), a Trojan horse (upsupx.exe) and an MBR rootkit (max.exe / ok.exe).

A worm module u.exe is responsible to download the DLL’s from command and control server to scan the network to find the vulnerabilities and report back to the attack.

Attacker using the data to customize the worm and add, modify and remove propagation techniques.

According to Guardicore research, The worm is an executable file downloaded as wpd.jpg and saved locally as msinfo.exe. This is the module responsible for spreading the malicious payloads within the network, using a Python-based EternalBlue exploit and brute-force of multiple Windows services, such as MS-SQL, Telnet, RDP, and more.

Image credits: Guardicore

Another executable file drops the open-source Trojan named PcShare that is capable of download and executes, command and control, screenshot capturing and information stealing and also it primarily used for download the Monecrypto miner.

Threat actors behind this attack used almost 20 servers as a part of the botnet and most of the servers hosted in the US, with some hosted by ISPs in Malaysia and Bulgaria. 

“The spreading of Smominru is heavily based on weak passwords, but it also relies on the existence of EternalBlue vulnerable machines. Unpatched systems allow the campaign to infect countless machines worldwide and propagate inside internal networks.” it’s highly recommended to update the system and apply the necessary patch. Guardcore said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

200,000 WordPress Sites Exposed to Cyber Attack, Following Plugin Vulnerability

A critical security vulnerability has been discovered in the popular WordPress plugin Anti-Spam by CleanTalk, which…

1 hour ago

Beware Of SpyLoan Apps Exploits Social Engineering To Steal User Data

SpyLoan apps, a type of PUP, are rapidly increasing, exploiting social engineering to deceive users…

3 hours ago

Researchers Detailed Tools Used By Hacktivists Fueling Ransomware Attacks

CyberVolk, a politically motivated hacktivist group, has leveraged readily available ransomware builders like AzzaSec, Diamond,…

3 hours ago

Blue Yonder Ransomware Attack Impacts Starbucks & Multiple Supermarkets

A ransomware attack on Blue Yonder, a leading supply chain management software provider, has created…

5 hours ago

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address…

5 hours ago

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team Assessment…

6 hours ago