photobank.kiev.ua - Fotolia
Cryptojacking malware using EternalBlue to build botnets
Proofpoint researchers discovered a large Monero mining botnet that uses EternalBlue to spread, and it isn't the first time the Windows flaw has been used for cryptojacking.
Nearly one year after their release by the Shadow Brokers, NSA cyberweapons such as EternalBlue are still causing problems and the most recent examples involving cryptojacking.
Cybersecurity vendor Proofpoint last week reported a new botnet called Smominru that takes over systems and uses their combined computing power to mine for the cryptocurrency Monero. The Smominru botnet, according to Proofpoint researchers, uses the EternalBlue exploit to take advantage of a vulnerability in Microsoft's Server Message Block (SMB) protocol. EternalBlue and other Windows exploits were part of a collection of NSA cyberweapons released to the public by the Shadow Brokers last April and were used in a variety of attacks, including the global WannaCry ransomware scourge. Proofpoint's researchers claim the cryptojacking botnet currently has 526,000 infected Windows hosts and has earned its operators approximately $3 million in Monero since it was first discovered last May.
"As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically," Proofpoint researcher "Kafeine" wrote. "While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators."
Most cryptojacking schemes are fairly simple; hackers place mining software on websites and when visitors arrive at those domains, JavaScript is loaded into their browsers, which are then used to mine cryptocurrency with without users' permission. The Smominru botnet is different in that it uses the EternalBlue exploit to infect users' systems rather than just their browsers. In addition, Kafeine said the Smominru miner's "use of Windows Management Infrastructure is unusual among coin mining malware."
The Smominru botnet isn't the first time EternalBlue has been used for malicious coin mining. Last fall, Panda Security published a report on a worm the vendor calls "WannaMine," which spreads a fileless Monero miner. Panda Security researchers said they didn't know what the initial infection vector was for WannaMine but did say it uses EternalBlue to infect unpatched Windows systems on a targeted network (Microsoft released a patch for the SMB vulnerability for current and older, unsupported versions of Windows).
While cryptojacking malware isn't as devastating to enterprises as ransomware, it can still have significant negative effects. In a recent blog post on WannaMine, CrowdStrike researchers described how coin miners commandeer CPU cycles and degrade system performance. "The tools have caused systems and applications to crash due to such high CPU utilization speeds," the researchers wrote. "In one case, a client informed CrowdStrike that nearly 100 percent of its environment was rendered unusable due to overutilization of systems' CPUs."