New cryptocurrency mining viruses have lately spread to infect Windows computers as virtual currency-related malware becomes popular and profitable among cyber criminals.
The viruses are being spread using same EternalBlue exploit, which has been developed by the US National Security Agency (NSA). The exploit was recently used as part of the worldwide WannaCry ransomware attack.
According to researchers from Proofpoint, a massive global botnet dubbed ‘Smominru’ is using EternalBlue SMB exploit to infect PCs and secretly mine monero cryptocurrency (valued at $245.47) for its master.
They said the botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows.
Cybercriminals are using at least 25 machines to scan the internet for vulnerable PCs. They also use leaked NSA’s RDP protocol exploit for infection.
The botnet operators have already mined almost 9,000 monero by stealing computing resources of millions of systems.
“Based on the hash power associated with the monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz,” Proofpoint researchers said. Adylkuzz virus appeared after the WannaCry attack, creating a network of compromised computers which it could remotely control.
According to experts, the highest number of the new Smominru infections has been observed in Russia, India, and Taiwan.
“As bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in monero has increased dramatically. While monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators,” said the researchers.
They added the operators of the botnet are “persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations.”
They expect those activities to continue “given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure.”