Cryptocurrency Botnets Potentially Damaging Business Operations

3k

134

8

6

6

More

17

6

10

Read Time: 2 min.

One example, the Smominru cryptocurrency botnet, has infected 526,000 machines, generated as much as $3.6 million.

While cryptocurrency speculators may be watching their screens with concern, as the market sheds billions of market capitalisation, it’s fair to say that criminals are busy doubling down on crypto mining operations.

The latest cryptocurrency mining botnet to be discovered has mined as much as $3.6 million in the popular Monero cryptocurrency since last May. Dubbed Smominru, the powerful malware has recruited at least 526,000 computers, mainly in Russia, India, and Taiwan and has proven resistant to white-hat attempts to disable it. The scale and power of the botnet implies that it is extracting a heavy penalty in hardware usage and electricity costs from the unknowing businesses hosting it, according to researchers.

“ Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity ”, noted researchers from Proofpoint.

Ilia Kolochenko, CEO, High-Tech Bridge said: “ With the steady growth and popularity of digital currencies, we should expect continuous and persistent growth of attacks targeting the wallets and/or installing malware to mine the coins.

“ Unlike credit cards, PayPal or bank accounts, digital currencies is a unique opportunity for cybercriminals to use stolen [digital] money without risks of beings halted or having their money frozen. Law enforcement and governments have virtually no control over the digital coins and cannot intervene into the game at the moment. Therefore, using all previously existed and some emerging techniques of phishing and drive-by-download attacks, cyber criminals will likely focus their efforts on crypto currencies in the near future. ”

In addition, Smominru uses a variety of exploit techniques to infect targeted computers, including the National Security Agency (NSA) developed EternalBlue, also famously used in the WannaCry ransomware. EternalBlue (CVE-2017-0144) was leaked into the public domain by a group calling itself the Shadow Brokers in April 2017.

Researchers spotted at least 25 hosts conducting attacks via the EternalBlue exploit, and also believe that the those responsible are also EsteemAudit (CVE-2017-0176 RDP), like many other EternalBlue attackers.

The miner’s use of Windows Management Infrastructure is unusual among coin mining malware, according to the Proofpoint researchers, who summarised: “ The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size. ”

Researchers at Crowdstrike reported on a similar botnet they dubbed ‘Wannamine’, which has been hitting enterprises extremely aggressively: “ CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds. In one case, a client informed CrowdStrike that nearly 100 percent of its environment was rendered unusable due to overutilization of systems’ CPUs. ”

The discoveries follow a growing deluge of actors recruiting business and consumer computers to mine cryptocurrency, often Monero, due partly to inbuilt privacy safeguards in this cryptocurrency. One recent campaign involved simple social engineering techniques to get users to click on a shortened bit.ly link, which in turn downloaded the XMRigMonero miner. That campaign alone infected over 15 million users across the globe, hitting South America, Southeast Asia and northern Africa the hardest.

Mark Mayne Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.