Cybercriminals appear to be increasingly turning their attention to cryptocurrency miners as a means of easily making money. Attackers are turning away from ransomware in favor of fraudulent cryptocurrency mining. A massive cyptocurrency mining botnet, Smominru, has taken over half a million machines, and may have made its cybercriminal controllers millions of dollars.
It is based on EternalBlue exploit. The Smominru miner botnet turns infected machines into miners of the Monero cryptocurrency and is believed to have made its owners around $3.6m since it started operating in May 2017. The botnet was made up of 526,000 nodes at its peak. Despite efforts to take it down, the botnet is particularly resilient and keeps regenerating itself, and therefore remains a powerful Monero mining tool for its operators. It takes control of, with a large proportion of the nodes in the network consisting of Windows servers.
The servers are always on, providing a continuous, lucrative stream of Monero. Organizations may remain unaware that their servers have become part of the Smominru botnet, despite the mining botnet potentially causing performance levels to drop and raising the costs of the energy. Efforts have been made to shut down the botnet but its operators have been able to recover. The highest number of infected systems are found in Russia, India, and Taiwan.