The Smominru botnet appeared in recent publications describing the group’s new capabilities and malicious intent. These prompted us to seek out the campaign’s indicators in Guardicore Global Sensors Network (GGSN) and Guardicore Cyber Threat Intelligence. Analysis of the attacks showed strong resemblance to the Hexmen group we researched last year and led us to further analyze the campaign’s most recent iteration.

Guardicore Labs gained access to one of the attackers’ core servers – one which stores victim information and credentials. Monitoring the server’s contents over time enabled us to study infection patterns and draw conclusions of the extent of the campaign. Guardicore Labs has informed identifiable victims and provided them with the details of their infected machines.

Directory listing of the attacker’s FTP server

The attackers’ logs describe each infected host; its external and internal IP addresses, the operating system it runs and even the load on the system’s CPU(s). Furthermore, the attackers attempt to collect the running processes and steal credentials using Mimikatz.

Guardicore Labs decided to take a closer look at the nature of the victims to better understand who is in the crosshairs of Smominru’s (and similar groups’) attacks.

Victims Analysis and Statistics

During August, the Smominru botnet infected 90,000 machines around the world, with an infection rate of 4,700 machines per day. Countries with several thousands of infected machines include China, Taiwan, Russia, Brazil and the US.

Global distribution of Smominru. Darker colors represent more infected countries.

Infected networks include US-based higher-education institutions, medical firms and even cyber security companies. As the attacks were untargeted and did not discriminate against industries or targets, they reached victims in various sectors. When discussing worms, there are no interesting and uninteresting targets – every vulnerable server is under attack.

Once it gains a foothold, Smominru attempts to move laterally and infect as many machines as possible inside the organization. Within one month, more than 4,900 networks were infected by the worm. Many of these networks had dozens of internal machines infected. The largest network belongs to a healthcare provider in Italy with a total of 65 infected hosts.

Number of infected hosts per network

Not surprisingly, Windows 7 and Windows Server 2008 are the most infected operating systems, representing 85 percent of all infections. These are Windows versions for which there is an operational EternalBlue exploit available on the internet. Other victim operating systems include Windows Server 2012, Windows XP and Windows Server 2003. These are either systems which have been out of support for many years, or about to be End of Life.

OS Distribution across victim machines

The infected machines are primarily small servers, with 1-4 CPU cores, but there were also some larger servers. We found more than 200 victim machines with more than 8 cores. One such machine was running on a 32-core server. Unfortunately, this demonstrates that while many companies spend money on expensive hardware, they are not taking basic security measures, such as patching their running operating system.

Number of hosts per number of CPUs

According to our analysis, one fourth of the victims were reinfected by the worm. This suggests that victims attempted to cleanup their systems without fixing the root cause issue that left them vulnerable in the first place.