- Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Cryptojacking malware using EternalBlue to build botnets

Proofpoint researchers discovered a large Monero mining botnet that uses EternalBlue to spread, and it isn't the first time the Windows flaw has been used for cryptojacking.

Nearly one year after their release by the Shadow Brokers, NSA cyberweapons such as EternalBlue are still causing problems and the most recent examples involving cryptojacking.

Cybersecurity vendor Proofpoint last week reported a new botnet called Smominru that takes over systems and uses their combined computing power to mine for the cryptocurrency Monero. The Smominru botnet, according to Proofpoint researchers, uses the EternalBlue exploit to take advantage of a vulnerability in Microsoft's Server Message Block (SMB) protocol. EternalBlue and other Windows exploits were part of a collection of NSA cyberweapons released to the public by the Shadow Brokers last April and were used in a variety of attacks, including the global WannaCry ransomware scourge. Proofpoint's researchers claim the cryptojacking botnet currently has 526,000 infected Windows hosts and has earned its operators approximately $3 million in Monero since it was first discovered last May.

"As Bitcoin has become prohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically," Proofpoint researcher "Kafeine" wrote. "While Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can prove quite lucrative for its operators."

Most cryptojacking schemes are fairly simple; hackers place mining software on websites and when visitors arrive at those domains, JavaScript is loaded into their browsers, which are then used to mine cryptocurrency with without users' permission. The Smominru botnet is different in that it uses the EternalBlue exploit to infect users' systems rather than just their browsers. In addition, Kafeine said the Smominru miner's "use of Windows Management Infrastructure is unusual among coin mining malware."

The Smominru botnet isn't the first time EternalBlue has been used for malicious coin mining. Last fall, Panda Security published a report on a worm the vendor calls "WannaMine," which spreads a fileless Monero miner. Panda Security researchers said they didn't know what the initial infection vector was for WannaMine but did say it uses EternalBlue to infect unpatched Windows systems on a targeted network (Microsoft released a patch for the SMB vulnerability for current and older, unsupported versions of Windows).

While cryptojacking malware isn't as devastating to enterprises as ransomware, it can still have significant negative effects. In a recent blog post on WannaMine, CrowdStrike researchers described how coin miners commandeer CPU cycles and degrade system performance. "The tools have caused systems and applications to crash due to such high CPU utilization speeds," the researchers wrote. "In one case, a client informed CrowdStrike that nearly 100 percent of its environment was rendered unusable due to overutilization of systems' CPUs."

Dig Deeper on Emerging cyberattacks and threats

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Has your organization applied the patch for EternalBlue? Why or why not?
You think that these machines where infected before wannacry or we still have a lot of unpatched computers?
Probably the latter. Keep the timeline in mind -- Microsoft patched the SMB flaw in March BEFORE EternalBlue was made public (April) and before WannaCry was released (May). My guess is that most networks that got hit with WannaCry and/or these cryptomining malware samples were not patched. Reminder: the SMB flaw isn't the initial vector, it's just used to spread throughout a corporate network once the first infection is made. So it's possible that many enterprise users DID get infected (through a phishing email or malicious website) even though their network was patched for EternalBlue, in which case the damage would be much less than if the flaw was unpatched. Hope that makes sense.