The way strategies — both defensive and offensive — are evolving in cybersecurity is incredible. There was a time when it was all about taking systems down with attacks like DDoS, phishing, malware; then ransomware came into the picture; and today, the strategies to pwn computers have reached a whole new level. Threat actors have started leveraging ways that not only hack systems but also make use of those systems to mine cryptocurrencies.
Smominru botnet is one such computer threat that has gained tremendous traction and has been creating a lot of hustle and bustle in the cyber world. According to a report, this notorious botnet is now infecting over 90,000 machines each month all around the world.
What is Smominru?
The history of Smominru botnet dates back to 2017 and it has different variants like as Hexmen and Mykings. It is basically a crypto-mining botnet that is also equipped with worming capabilities.
Since the get-go, this notorious botnet has gained some significant traction. In August 2019, it came under the light that Smominru makes the best use of some of the propagation methods such as the EternalBlue exploit (which was also used NotPetya and WannaCry), brute-force and attacks that gather credentials.
Datacenter and cloud security company, Guardicore has been tracking this botnet since the very beginning and recently, the company has released a report that it has managed to get into one of the core serves of the Smominru. The company has also stated that they have over time they have studied and monitored the infection patterns of the botnet and gathered information about the compromised machines and networks and has also assessed the botnet’s impact.
Once the Smominru botnet successfully lands in a system, it takes one of the most notorious steps by downloading a Powershell script — blueps.txt. The script then creates a new administrative user named admin$ on the system and downloads additional scripts to perform malicious actions such as stealing victim credentials, installs a Trojan module and a crypto miner and propagates inside the network. That is not all, it also creates several other backdoors on the compromised machine in different phases of the attack.
The Smominru Impact
Talking about the impact of this infamous botnet, in August 2019, Smominru compromised 4,700 machines per day, and with such a rate, over 90,000 systems have been infected all around the globe and China, Taiwan, Russia, Brazil and the US are some of the nations with a high infection rate. Furthermore, while a lot of sectors have been the victim of Smominru, there are some specific sectors that have witnessed most of the attacks — higher-education institutions, medical firms and to the surprise, even cybersecurity companies have fallen prey to this botnet.
While these all inform do prove that the impact of this botnet is brutal enough, there is one more feature that makes it one of the highly effective botnets for malicious activities. According to a report, the latest version of Smominru also makes sure that other threat actors are not interfering. Therefore, the botnet eliminates other infection or malicious elements from the system it targets. Furthermore, it also blocks TCP ports (SMB, RPC) in order to prevent threat actors from compromising the already-compromised system.
Patching systems is definitely one of the most important things for every organisation. While many companies take this is serious, there are companies that ignore the fact that patching your systems can deliver significant protection against cyber threats.
Smominru botnet attack was also aided by unpatched systems. The botnet solely focuses on systems that are not being patched since quite a long time and that is the reason why machines running on Windows 7 and Windows 8 server became the major victims of this attack. Further, Smominru is also capable of making things worse ever thought you remove it from the infected server.
Over the years, several malware and botnets have shown that the hacking world is witnessing a significant evolution and one single mistake from a company and these threats would take things down. Technology has not only empowered companies and individuals but also empowered threat actors to come with strategies and methods that are highly brutal.
It is high time that organisations start taking a look at their cybersecurity infrastructure one more time and make sure that there are no loopholes that would help any threat actor to pwn.
Enjoyed this story? Join our Telegram group. And be part of an engaging community.
Provide your comments below
What's Your Reaction?
Harshajit is a writer / blogger / vlogger. A passionate music lover whose talents range from dance to video making to cooking. Football runs in his blood. Like literally! He is also a self-proclaimed technician and likes repairing and fixing stuff. When he is not writing or making videos, you can find him reading books/blogs or watching videos that motivate him or teaches him new things.