Researchers Found the Biggest Botnet Dedicated to Hidden Monero Mining

More than a half million Windows machines, mostly servers, have been zombified by Monero mining malware spread by a cyber gang that created the biggest mining botnet found to date. This botnet is called Smominru.

Several security companies have released their research on this cyber group activity. It is a relatively new gang. Crooks started their operations not earlier than the previous year.

All reports that earlier described the Smominru botnet, managed to cover only a small part of the gang’s operation. Partial botnet infrastructure has been previously provided by Kaspersky, TrendMicro, Panda Security. However, the latest study by Proofpoint sheds light on entire malware campaign.

Smominru botnet made $2.2 million with the help of 526,000 infected computers.

Collecting all the reports together, we can see a big picture of the largest crypto-mining botnet of all times. This botnet enslaved 526,000 computers into mining Monero cryptocurrency which allowed malware authors to earn almost 8,900 Monero coins that equals $2,242,800 at the time of writing.

To infect all those machines, crooks behind the Smominru botnet, utilized several sophisticated techniques. These include EternalBlue exploit and also EsteemAudit exploit. Although these are powerful exploits, only computers with unpatched Windows systems are vulnerable.

Besides Windows computers, botnet attacked Linux computers with MySQL servers and Microsoft SQL Servers.

As stated above, Monero mining is the primary operation, but the group is deploying several other virus strains onto hacked hosts like backdoors and Mirai DDoS bots.

The victims account maybe approaching 1 million

Although Proofpoint approximated the botnet size at about 526,000, another group of researchers, after evaluating different resources, estimates that this botnet includes almost 1 million bots.

Most targeted countries are Ukraine, Russia, Brazil, and Taiwan.

GuardiCore reports it found evidence that Smominru group is physically based in China. Proofpoint detected that Internet scanners that botnet uses have all US IP address.

It is interesting that Smominru botnet is two times bigger than Adylkuzz botnet. Adylkuzz was the first malware to make use of the EternalBlue exploit. Adylkuzz botnet was also aimed at mining Monero.

Looks like more and more botnet operators quit ransomware in favor of mining cryptocurrencies. Monero mining malware is quickly becoming the number one Internet threat.

Share this article

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.