New Monero mining malware infected 500K PCs by using 2 NSA exploits

Another day, another Monero mining malware – This one uses two NSA exploits and so far it has mined over 8,900 Monero.

It looks like the craze of cryptocurrency mining is taking over the world by storm as every new day there is a new malware targeting unsuspecting users to use their computing power to mine cryptocurrency. Recently, the IT security researchers at Proofpoint have discovered a Monero mining malware that uses leaked NSA (National Security Agency) EternalBlue exploit to spread itself.

NSA’s leaked EternalBlue exploit in action

Dubbed Smominru by researchers, the is highly sophisticated malware has infected 526,000 Windows-based computers since May 2017 and is capable of mining around 24 Monero (XMR) per day which is currently $5,657. So far, the malware has generated 8,900 Monero which is around $2 million from targets in India, Russia, and Taiwan.

Monero mining malware infects 500K PCs by using 2 NSA exploits
Smominru Stats and Payments on the MineXMR mining pool (Credit: Proofpoint).

“Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” researchers wrote in their blog post.

Adylkuzz is another cryptocurrency malware appeared after the WannaCry attack. Adylkuzz also uses EternalBlue and targets Windows-based computers to mine Monero cryptocurrency.

The EternalBlue exploit was leaked by Shadow Brokers hacking group after hacking the agency. The same exploit was then used by hackers to spread WannaCry ransomware campaign which affected over 200,000 victims and more than 300,000 computers around the world.

Smominru also uses NSA’s EsteemAudit exploit

According to researchers, hackers are also using another NSA exploit called EsteemAudit to spread Smominru malware. The EsteemAudit exploit was leaked by Shadow Brokers in April 2017. The ex-NSA spy Edward Snowden had described the leak as “The mother of all exploits.”

Furthermore, Smominru’s command and control (C&C) infrastructure is hosted on SharkTech, a DDoS protection company in Las Vegas, NV. Proofpoint informed SharkTech about the ongoing cybercriminal activity on their server but did not receive any reply from the company.

“As bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically. While Moreno can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators,” said Proofpoint researchers.

“The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations,” researchers added.

As HackRead previously reported the easiest way to generate Monero is using Javascript code provided by Coinhive however, hackers have been using the code for malicious purposes. Just a week ago, YouTube ads were found generating Monero by using the visitors’ CPUs (Central Processing Unit) power.

Moreover, hackers also exploited vulnerabilities in Oracle WebLogic flaws to mine $266,000 worth of Monero while BlackBerry’s mobile website was also hacked to mine Monero. These incidents indicate that hackers and cybercriminal community is eager to make easy money, therefore, users should remain vigilant and avoid downloading files from third-party websites.

How To Block Cryptocurrency Mining

There are several ways of blocking cryptocurrency minors from using your browser and CPU power including minerBlock and No Coin extensions on Chrome web store developed for the sole purpose of blocking cryptocurrency mining and cryptojacking. Both extensions are open source and open to the public, users can check out the source code on Github here and here.

Opera Browser

Opera browser is a valuable line of defense against such cryptocurrency mining. Opera 50 prevents websites from hijacking your browser to mine cryptocurrency while its apps on Android and iOS store are equipped with anti-cryptocurrency mining capability which stops malicious apps from hijacking your device to mine cryptocurrencies.

Related: Russian Hacker Exploits GTA 5 PC Mod to Install Cryptocurrency Miner

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.