The Smominru botnet, active since 2017, is spreading rapidly and infecting even up to 4,700 Windows devices daily. Education, medical and cybersecurity sectors in China, Taiwan, Russia, Brazil and the United States have been hit the most. Its focus is on cryptocurrency mining, but it also steals credentials, installs backdoors and makes system modifications. 85% of the affected machines are running Windows 7 and Windows Server 2008 and were compromised through EternalBlue exploit, previously used in infamous WannaCry ransomware. Apart from using the exploit, attackers have been also brute-forcing weak credentials for different Windows services, including MS-SQL, RDP, and Telnet.
To protect company networks and devices against Smomiru and other attacks it is vital to keep all machines up-to-date and ensure strong password use. To assist in detecting Smominru, researchers from Guardicore has released a PowerShell script that can scan for and detect the presence of this infection.