A brand new strain of Monero mining malware is using NSA exploits to target Windows users and has so far mined over $2 million worth of Monero.
This highly sophisticated version of malware was recently discovered using two separate National Security Agency (NSA) exploits, and has to date mined over 8,900 Monero.
Hackers have been highly innovative in creating new ways to profit and easily mine cryptocurrency by targeting victims to infect with malware. The malware hijacks an unsuspecting victim’s computer processing units (CPUs) to mine cryptocurrency for the hackers. The latest malware strain demonstrates a surprising sophistication. The malware was first discovered by a group of researchers from the cybersecurity firm, Proofpoint. What makes the malware significant, is that it operates by using a leaked NSA exploit, known as EternalBlue, to distribute the malware.
The malware strain, dubbed Smominru by the Proofpoint researchers, has so far infiltrated 526,000 Windows PCs and has been active since May 2017. The malware is capable of collectively mining up to 24 Monero daily, which currently equates to $5,657. In total, this campaign has successfully mined 8,900 Monero from affected devices primarily located in Taiwan, India, and Russia.
In a blog post, Proofpoint researchers say with Smominru’s hash power, this attack could be twice the size of previous malware campaign, Adylkuzz, which emerged shortly after the height of the WannaCry ransomware attack. Adylkuzz operates in a similar manner as Smominru as it utilizes the EternalBlue exploit to distribute the malware to Windows devices.
The NSA exploit was famously leaked by a hacking group, known as Shadow Brokers after they hacked into the NSA servers. The EternalBlue exploit was subsequently used by hackers to distribute the crippling WannaCry ransomware campaign that has to date affected more than 300,000 devices all over the world.
Smominru uses both the EternalBlue exploit, as well another NSA exploit known as EsteemAudit, to spread the malware. Like its peer, EsteemAudit was leaked by Shadow Brokers last April. Edward Snowden previously referred to the EsteemAudit leak as the mother of all exploits.
The Smominru malware is hosted by a Las Vegas-based DDoS protection firm, SharkTech. Proofpoint notified the firm of the illegal activity on their servers, but the company has so far failed to respond.
As Bitcoin becomes increasingly difficult to mine, more and more hackers and individuals are turning to altcoins instead. Since Monero cannot be mined profitably from a PC, hackers are creating botnets and malware attacks to profit from the cryptocurrency. They further state that the hackers behind Smominru are sophisticated and persistent in their attacking techniques.
Concerned users have been advised to try Chrome extensions such as No Coin or minerBlock in order to protect themselves from cryptocurrency mining malware.