Meet Smominru, a Dangerous Malware That Could Try to Steal Your Credentials

You could say that the Smominru worm isn't the most widely known cyber threat out there. It has indeed attracted some attention, mostly from cybersecurity experts, but overall, it hasn't been mentioned in the news as frequently as Trickbot, for example. Nevertheless, for the last three years, it's been tormenting Windows users across the globe, and recently, researchers from Guardicore decided to take a closer look and see how it's getting on. Their findings were rather surprising.

The experts managed to access one of the malware's core Command & Control (C&C) servers and read the logs. They found out that during the month of August alone, Smominru managed to infect a whopping 90,000 Windows devices. That's an average of 4,700 computers and servers per day.

Like most threats of this type, Smominru isn't targeting particular users or organizations. The worm has infected machines that belong to all sorts of companies working in a variety of different sectors. China, Taiwan, Russia, Brazil, and the US recorded the most victims in August, and Guardicore said that the majority of infected devices were small servers.

All in all, while it might not be the most recognizable malware family, Smominru seems to be quite a lot more active than some of its better-known competitors, and it's clearly managing to affect a large number of users. How is it doing that?

Simple techniques and old exploits are at the root of Smominru's success

Smominru has two ways of infecting new hosts and moving laterally around the network. It either brute-forces its way in using Windows services like RDP and Telnet, or it uses something known as EternalBlue.

The brute-force attack is arguably the simplest tool in the hackers' arsenal. Unfortunately, because people tend to use the same weak passwords, it's often one of the most effective ones as well. In Smominru's case, a few configuration mistakes help out.

RDP and Telnet are old networking protocols that have more modern, reliable alternatives. Not a whole lot of people use them nowadays, yet despite this, quite a few system administrators leave them running. Couple this with the weak (or default) passwords that protect them, and you'll see how threats like Smominru can move around the network with ease.

The same negligence is at the heart of Smominru's second infection vector: EternalBlue. EternalBlue is an exploit allegedly developed by the NSA, which takes advantage of a specific Windows vulnerability. It was leaked in April 2017, and it was so powerful, that Microsoft went out of its way and released patches for systems that had reached their end-of-support. Despite this, in May and June of the same year, EternalBlue was used in two of the most severe cyberattacks of the last decade – the WannaCry and NotPetya ransomware outbreaks.

You'd think that users, and especially those in charge of company servers, would have patched their systems by now, but sadly, this is not the case.

In fact, 85% of all machines Smominru infected during the August campaign run on either Windows 7 or Windows Server 2008 R2, which goes to show that people are still using wildly outdated software. And although there are patches available even for these ancient versions, users just don't want to apply them. Guardicore reported that Smominru recorded a 25% re-infection rate on machines where it was initially discovered and removed.

All in all, the impressive speed with which Smominru infects new hosts is not down to its operators' skills and sophistication. It has more to do with the reluctance to follow the most basic cybersecurity good practices, as demonstrated by users and system administrators alike.

Smominru enables crypto mining and credential theft

Once Smominru finds itself on a new machine, it first sets about creating a new user on the system with administrative rights. With this, the worm has the carte blanche to do pretty much whatever it wants on the infected host.

Guardicore's experts noted that the samples they observed seemed to be especially hostile towards competitors' products. Shortly after a successful infection, Smominru kills processes, deletes files and scheduled tasks, and reverts registry changes associated with other malware families. It then blocks some networking ports to lower the chances of other attackers compromising the same host.

Clearly, the Smominru operators don't want to share the loot, and when you see what the said loot is, you'll be hardly surprised. For more than a year now, the Smominru gang have been using infected hosts' hardware resources to mine a popular cryptocurrency by the name of Monero, but according to Guardicore's report, the payloads now include a penetration testing tool called Mimikatz which can steal usernames, passwords, and other personal information. Indeed, while they were looking at the logs in Smominru's C&C, the researchers noticed quite a few stolen login credentials.

Speaking of the C&C, the experts also pointed out that Smominru's operators have built a rather serious backend infrastructure. There are at least 20 C&C servers set up with the sole goal of controlling the worm. Most of them are located in the US, but there are also some in places like Malaysia and Bulgaria, which means that bringing the whole operation down will be extremely hard.

And this means that users and system administrators should probably have another look at their network configuration and their update policy and see if their systems are vulnerable to a Smominru attack.

October 9, 2019

Leave a Reply