Skip to main content

Cybercrime, the global spread of the Smominru botnet continues

By 25 September 2019No Comments

«Guardicore: cybercrime continues to spread the Smominru botnet. Over 90,000 computers were infected in August alone. A healthcare provider in Italy was also affected. Malware targets Windows systems; uses an EternalBlue exploit and brute force attacks


Cybercrime returns to strike all over the world with Smominru. According to Guardicore's cyber security experts, the botnet infected over 90,000 machines globally in August alone. Even in Italy, where a healthcare provider was hit. The malware, active since 2017 with some variants (Hexmen and Mykings), targets Microsoft Windows systems for cryptomining. Specifically Windows 7 and Server 2008, using an EternalBlue exploit. In addition, it can use brute force cyber attacks on various services and protocols, such as MS-SQL, RDP and Telnet. However, the researchers also found that many computers were re-infected, even after removing Smominru, and developed and released a Powershell script to detect machines infected by the worm. This is to help the infosec community and the users themselves to detect the threat as soon as possible.

Cyber security experts: how the malware infection chain works

According to cyber security experts, a PowerShell script (blueps.txt) is downloaded to the target machine during the Smominru infection. This is done by doing three things. The botnet first downloads and runs three binary files: a worm downloader (u.exe / ups.exe), a Trojan (upsupx.exe), and an MBR rootkit (max.exe / ok.exe). The u.exe file sets the stage for the worm by downloading DLLs needed to perform network scans. It then connects to an attack server, checks for the latest version of the worm, and downloads it. The “upsupx.exe” file is used to release a variant of the open source Trojan called “PcShare“. This packs in many features, including download and run, command and control, screen capture, and information theft. Furthermore, it creates a new admin user named admin$ on the system and downloads additional scripts so that cybercrime can perform malicious actions.

The CERT-PA: The spread of Smominru is facilitated both by the use of weak passwords and by the existence of machines vulnerable to EternalBlue. It is vital to align operating systems with software updates


As the cyber security specialists of CERT-PA know, the spread of Smominru is facilitated both by the use of weak passwords and by the existence of machines vulnerable to EternalBlue. Computers still affected by the vulnerability allow the campaign to continue to spread across the web and the malware to install into systems. Therefore, it is imperative to align operating systems with currently available software updates. However, patching may not be easy under certain conditions; therefore it is important to consider additional security measures in the data center as well as in the organization. In this sense, elements to be adopted or evaluated to maintain a solid level of security against threats such as Smominru are the segmentation of the network; the use of detection systems, in real time, of threats coming from Internet traffic, and the limitation of servers and services exposed to the Internet. "


#digife #website #website #ecommerce #ecommerce #webdesign #seo #digitalmarketing #graphicdesign #business #websitedesign #webdevelopment #webdesigner #branding #webdeveloper #socialmediamarketing #entrepreneur #startup #digital #malware #hacker #hacking #security #virus #cybercrime #antivirus #cyberattack #spyware #Smominru





Can we help you? Chat