Over 526,000 Windows computers —mainly Windows servers— have been infected with Monero mining software by a group that operates the biggest such botnet known to date.
This group's operations have been known to security researchers since last year, and various companies have published reports on its activity. Because the botnet is so massive and widespread, most previous reports covered only a fraction of the group's entire operation.
Other companies that published reports on fractions of the botnet's infrastructure and operations include GuardiCore, Trend Micro, Kaspersky, Panda Security, and Crowdstrike, but also some independent Chinese researchers [1, 2].
Putting all these together, we have a big picture of the largest mining botnet seen to date. The botnet has infected over 520,000 machines and has made a massive 8,900 Monero ($2,3 million) for its operators.
Smominru operators are using different techniques to infect machines. They mainly rely on the use of the EternalBlue (CVE-2017-0144) exploit, but they've also deployed EsteemAudit (CVE-2017-0176), both aimed at taking over machines running unpatched Windows OSes.
As GuardiCore pointed out, the botnet has also targeted MySQL servers on Linux machines, but also MSSQL databases on Windows Servers.
Both GuardiCore and NetLab observed the group deploying an assortment of malware strains on infected hosts, from Mirai DDoS bots to backdoors, albeit their primary operation was always Monero mining.
According to data gathered after sinkholing part of the botnet's infrastructure, most victims are located in Russia, India, Taiwan, Ukraine, and Brazil.
While the sinkholing operation yielded results that allowed Proofpoint to approximate the botnet's size at around half a million, a NetLab researcher told Bleeping Computer their company estimates the botnet at around 1 million infected hosts, based on different sources.
In a previous report, GuardiCore said it found strong evidence suggesting Smominru's operator(s) was (were) based in mainland China, even if Proofpoint says most of the botnet's IP scanners operate from AS63199 —a US-based network.
Proofpoint also pointed out that Smominru is currently almost twice the size of the Adylkuzz botnet, the first malware family (even before WannaCry) to have ever used the EternalBlue exploit. Adylkuzz was also a Monero-mining botnet.
Last week, Bleeping Computer ran a story highlighting how Monero-mining malware is becoming the prevalent threat on the Internet. A Cisco Talos report released this week has confirmed that Monero mining malware is slowly edging out ransomware as cyber-criminals' go-to operation.