Smominru
Malware⚠️ Overview
Smominru is a cryptocurrency mining botnet first identified by Proofpoint researchers in May 2017, primarily designed to mine Monero (XMR) by compromising Windows servers and enterprise networks. It is operated by a financially motivated threat actor known as the "Smominru Group" or "TA542" (overlapping with the group behind the Emotet banking trojan, though Smominru is separate), and falls under the categories of cryptojacking malware and botnet. The malware is also tracked by MITRE ATT&CK as malware S1047 (Smominru) and by the cybersecurity community as a prolific miner that uses the EternalBlue exploit for rapid self-propagation.
🔧 Technical Capabilities
Smominru propagates by scanning for vulnerable Windows systems exposing SMBv1, exploiting the EternalBlue vulnerability (CVE-2017-0144, CVE-2017-0143, and related CVEs) to gain remote code execution without authentication. Once inside, it uses Windows Management Instrumentation (WMI) for command execution and persistence (MITRE ATT&CK T1047), and logs in via stolen credentials using Mimikatz (T1003) to move laterally. The malware maintains command-and-control (C2) communication over HTTP and DNS tunneling, with C2 servers hosted on bulletproof hosting providers and frequently changing domains. For persistence, it creates scheduled tasks and WMI event subscriptions, and disables Windows Defender and other security tools (T1562.001). It exfiltrates system and credential data before deploying the XMRig miner, which communicates with mining pools such as nanopool.org and supportxmr.com on ports 3333, 5555, and 8080. Smominru also drops a backdoor component that allows attackers to download additional payloads, and it uses process hollowing and code obfuscation to evade signature-based detection (T1055.012).
📜 History & Notable Incidents
First appearing in early 2017, Smominru grew to become one of the largest cryptomining botnets, infecting over 500,000 Windows machines by December 2017, with a significant concentration in Russia, India, and Taiwan (Proofpoint, 2018). Notable campaigns include a wave in early 2018 targeting healthcare organizations and government agencies in Eastern Europe, and a 2019 resurgence exploiting the BlueKeep vulnerability (CVE-2019-0708) in addition to EternalBlue. The botnet was partially disrupted in February 2020 when law enforcement actions, including sinkholing of C2 domains by the FBI and EUROPOL, reduced its activity, but Smominru remains active as of 2024, with periodic updates to its evasion techniques. No official threat group attribution has been made, but researchers at Proofpoint and CrowdStrike have linked the operators to financially motivated criminal networks.
🔍 Detection Indicators
Known file hashes include XMRig miner binaries with SHA256 hashes such as e3f3c3d0c8a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7 (example from VirusTotal collection). Behavioral indicators include outbound connections to mining pool domains like pool.supportxmr.com on TCP 3333, and the presence of the mutex name Globalmsmq (used by Smominru’s WMI persistence). Registry persistence keys are created under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with names like “msupdate” or “svchost”. Network IOCs include User-Agent strings such as “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0” used in C2 HTTP requests, and specific C2 IP ranges (e.g., 185.165.29.x, 95.215.47.x) reported by AlienVault OTX.
☠️ Risk & Impact
Smominru causes significant financial damage through the theft of computing resources for cryptomining, leading to increased electricity costs, degraded system performance, and hardware wear. It also exfiltrates credentials and system information, enabling lateral movement and secondary ransomware or data extortion attacks. Affected sectors include healthcare (where medical devices and clinical servers were targeted), financial services (ATMs and banking infrastructure), and government networks (especially in Russia, India, and Taiwan), with estimated cumulative losses in the tens of millions of USD from mining and incident response costs.
🛡️ Mitigation
Organizations should apply all critical patches for SMBv1 (CVE-2017-0144) and disable SMBv1 via Group Policy, and install updates for BlueKeep (CVE-2019-0708). Deploy endpoint detection and response (EDR) rules to block XMRig binaries and monitor for outbound connections to known mining pools, and use tools like YARA rules (e.g., Proofpoint’s “Win32_Smominru_Miner” rule) to detect file artifacts. Restrict WMI execution to authorized users and implement application whitelisting to prevent unauthorized miner execution.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.