It is based on EternalBlue exploit. The Smominru miner botnet turns infected machines into miners of the Monero cryptocurrency and is believed to have made its owners around $3.6m since it started operating in May 2017. The botnet was made up of 526,000 nodes at its peak. Despite efforts to take it down, the botnet is particularly resilient and keeps regenerating itself, and therefore remains a powerful Monero mining tool for its operators. It takes control of, with a large proportion of the nodes in the network consisting of Windows servers.
The servers are always on, providing a continuous, lucrative stream of Monero. Organizations may remain unaware that their servers have become part of the Smominru botnet, despite the mining botnet potentially causing performance levels to drop and raising the costs of the energy. Efforts have been made to shut down the botnet but its operators have been able to recover. The highest number of infected systems are found in Russia, India, and Taiwan.