Researchers report rapid propagation of Smominru botnet
- The Smominru botnet has been observed to infect nearly 90,000 machines in the past month.
- This botnet primarily exploits EternalBlue vulnerability and also performs brute force attacks on MS-SQL, RDP, and Telnet services.
Researchers noted that the infection rate was about 4,700 machines per day and the list of most affected countries include U.S., Russia, China, Brazil, and Taiwan.
What did the researchers find?
Guardicore Labs published a report about the massive propagation of the Smominru botnet.
- They observed that many machines were reinfected with Smominru, even after disinfecting. This may indicate that the systems remain unpatched and vulnerable to similar attacks.
- The infected networks in the August attack span across various sectors, including medical firms, higher education institutes, and cybersecurity industries. This suggests that the attack wasn’t targeted at a particular industry, but at any infected vulnerable server available.
“Once it gains a foothold, Smominru attempts to move laterally and infect as many machines as possible inside the organization. Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected,” reads the report.
How does it operate?
Once infected, Smominru downloads a Powershell script called ‘blueps.txt’ that creates a new administrator on the system, executes binary files, and downloads other malicious scripts to the system.
- It then creates multiple backdoors for several operations such as newly-created users and scheduled tasks.
- It eliminates other malicious actors in the system by killing processes, deleting executable files, dropping backdoor credentials of other actors, and removing scheduled tasks and jobs that may belong to other actors.
- Various TCP ports are blocked to prevent other malicious actors from infecting systems that are already infected by Smominru.
- The current iteration of this botnet runs nearly twenty scripts and binary payloads.
- Researchers observed that most of the machines used are dedicated servers, and not repurposed victim servers that are usually present in such attacks.
How to protect your network?
There are Powershell scripts available to detect the presence of Smominru worms. You can also check the list of Indicators of Compromise (IOCs) available in the Guardiacore blog.
Researchers say that weak passwords and EternalBlue vulnerabilities are exploited by the Smominru botnet to propagate. So it is essential that your machines are patched with the latest security fixes available.