Cryptomining malware Smominru infiltrated over 500,000 machines worldwide to mine cryptocurrencies and steal access data. Researchers from Carbon Black’s Threat Analysis Unit (TAU) said that Smominru is hacking systems via a botnet to illicitly mine Monero (XMR).
Many cryptojacking efforts use similar tactics, infiltrating a vulnerable system through brute-forcing weak credentials and take over the CPU. All the cryptocurrency generated through this is sent to the wallet of malware’s operator. This malware did not just steal cryptocurrencies but also stole the access data to sell on the dark web. The malware has been upgraded with a subsequent component that takes system data in what the researchers call “access mining.”
Access mining is the introduction of a data harvesting module and Remote Access Trojan (RAT) to cryptocurrency mining code. Commercially-available malware and open-source system, including Mimikatz, has also been modified for purposes including data theft, credential stealing, and propagation. The botnet has been active for at least two years and generally reaches through the EternalBlue exploit, an old vulnerability made known in 2017 that was also used during the global WannaCry ransomware campaign. Victims of the malware are mainly in the Asia Pacific region. As of now, researchers can’t say for sure that access to compromised systems is being sold in the Dark Web.