Smominru hijacks half a million PCs to mine cryptocurrency, steals access data for Dark Web sale

Commodity cryptomining appears to be shifting to a data theft model.
Written by Charlie Osborne, Contributing Writer

A known cryptomining campaign has managed to infiltrate over 500,000 machines worldwide and is evolving to not only mine for cryptocurrency but to also steal access data.

On Wednesday, researchers from Carbon Black's Threat Analysis Unit (TAU) said the campaign, known as Smominru (.PDF), is enslaving systems via a botnet in order to illicitly mine Monero (XMR).

Many of today's cryptojacking efforts use the same template in attacks: infiltrate a system by way of a vulnerability or through brute-forcing weak credentials, harness CPU power, and send any cryptocurrency generated to a wallet owned by the malware's operator. 

However, Smominru appears to be going far beyond cryptomining and is now also seeking to steal information from vulnerable targets. The malware has been upgraded with a secondary component that steals system data in what the researchers call "access mining."

Access mining is the introduction of a data harvesting module and Remote Access Trojan (RAT) to cryptocurrency mining code. Information, such as access credentials, can then be harvested and sent to a command-and-control (C2) setup or compromised FTP servers. 

See also: Microsoft launches Azure Security Lab, expands bug bounty rewards

A custom version of XMRig is used to mine, while commercially-available malware and open-source code, including Mimikatz, has also been modified for purposes including data theft, credential stealing, and propagation. 

According to the researchers, access mining stems from the potential financial rewards of a combination of mining and data theft, if done at scale. Monero is worth $92 at the time of writing, and the average cost of access to a compromised server in so-called 'access marketplaces' is as low as $6.75.

CNET: Huawei ban: Full timeline on how and why its phones are under fire

"Based on the specific system details they gathered, it is plausible this information could be sold on an access marketplace, allowing for remote access into these systems for use as zombies in large-scale attacks or to execute targeted attacks on specific hosts at specific companies," TAU says. 

The botnet has been active for at least two years and generally spreads through the EternalBlue exploit, an old vulnerability made public in 2017 that was also used during the global WannaCry ransomware campaign. 

Victims are mainly in the Asia Pacific region, and while the researchers can't say for certain that access to compromised systems is being sold in the Dark Web, they do say "such a complex and dangerous campaign is plausible."

TechRepublic: Slack's new security features give enterprise admins more control over data

An interesting connection between Smominru and the MyKings botnet, a spreader used for Mirai, RATs, and cryptominers, has also surfaced. While the campaigns use different domains, a single email address was traced as the source of domain registrations for both botnets -- and TAU believes the link between the two highlights not only the lucrative nature of access mining but also the true scale of the problem. 

TAU says:

"Combining all of these factors paints the picture of a threat actor who had motivation to move away from commodity malware, but instead had the right tools and environment to evolve the commodity threat to mask a new cybercrime business model of mining system access for resale and distribution. 

Now, instead of relying solely on revenue from Monero mining, they have supplemented that revenue with the sale of remote system access at scale."

North Korea's history of bold cyber attacks

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards