SMOMINRU – The Largest Mining BOTNET

What is Smominru?

Smominru, a gigantic Crypto-mining botnet that is equipped with worming capabilities and since the vitality it has gained significant adherence. The botnet came under the light in August 2019 that it makes the best use of propagation methods such as EterbalBLue exploit (ransomware worms like NotPetya and WannaCry) and EsteemAudit, brute-force, and attacks which gather credentials. It is also known for a large number of payloads that it delivers, including credential theft script, backdoors, Trojans and a cryptocurrency miner. The fundamental aim is to attempt and clean up the victims’ systems without fixing the root cause issue that left them vulnerable, an analysis according to the researchers was made.


The data revealed that Smominru had impacted 4,700 machines per day, and with such a rate, over 90,000 systems have been infected all around the globe during August 2019. Windows & Windows Server 2008 are the most infected operating systems, representing 85% of all infections. Other operating systems, including Windows server 2012Windows XP, and Windows Server 2003. The notorious botnet highly infected China, Taiwan, Russia, Brazil, and the U.S, which included victims likes higher-education institution, medical firms, and cybersecurity companies. Majority of the infected machines discovered were primarily small servers with 1-4 CPU cores leaving them unusable due to overutilization with the mining process. According to the researchers, the botnet has already contrived around $2.3 million through mining activity and is the most massive mining botnet to date.

Smominru explained by Blarrow


How does Smominru work/attack?

The botnet has also been designed to gain initial access on the exposed systems by directly brute-forcing weak credentials for different Windows services, including MS-SQLRDP, and Telnet as tracked by Guardicore (Check this out). Once the initial access is gained into the targeted systems, Smominru installs a Trojan module and a cryptocurrency miner that propagates inside the network to harness CPU of the victims’ PC to mine Monero and send it to a wallet owned by the malware’s operator. The researchers discovered that the operators behind the botnet upgraded Smominru to add a data harvesting module and a Remote Access Trojan (RAT) to their botnet’s cryptocurrency mining code. The attackers create many backdoors on the machine in different phases of the attack, including newly-created users, scheduled tasks, WMI objects, and services set to run at boot time. The logs describe each infected host that has external and internal IP addresses, the operating system and even the load on the system’s CPU. Then the attackers collect the running processes and steal credentials using Mimikatz.

As per the botnet’s worming capabilities, machines infected with Smominru can be a severe threat to a corporate network. The risk utilizes a large number of payloads and creates numerous backdoors that maintain persistence, including new administrative users, scheduled tasks, Windows Management Instrumentation (WMI) objects, start-up services, and master boot record (MBR) rootkit.

The attack flow of the botnet:

 1. Powershell script names blueps.txt is downloaded

2. Downloads and executes three binary files

3. Creates a new administrative user on the system

4. Downloads additional scripts to perform malicious actions.

Rather than using the victim’s server like in other botnets attacks, the attackers use their own systems that are primarily hosted in the U.S., with others hosted by ISPs in Malaysia and Bulgaria. There is a lot of cross-pollination in techniques between groups and the level is being upgraded over the years across the board. The botnet’s infrastructure is highly distributed with more than 20 servers used in parts of the attacks and each one serving a few files, according to Guardicore’s report. Even after removing Smominru from the infected machines, they were reinfected among the same cases which suggests that these systems remain unpatched and vulnerable to the botnet.


smominru largest mining botnet by Blarrow

The operators behind the cryptocurrency malware have ranked $2.8 to $3.8 million since May, making the payday impressive according to the researchers at Proofpoint. The operators have compiled a formidable botnet of infected servers pumping out 24 Monero daily or $8,500. With ransomware or banking Trojans, it is harder to get profits, but with cryptocurrency, it’s easy how effective they are. Smominru Botnet transforms compromised devices into miners of crypto-currencies. As for the system access of the profit stream, the selling of 500,000 systems have infected over the last year at the Dark Web rate of $6.75 each, that translates into $1.69 million – for total annual revenue of $3.29 million.

The scenario has changed for the Cybercriminals shifting from ransomware and banking trojans and has now focused on cryptocurrency as the values have surged sharply over the past 18 months. Part of Smominru’s success is that the miner’s use of Windows Management Infrastructure (WMI) which, according to the researchers, is unusual among coin mining malware. WIMI is a scripting tool for automating actions in Windows ecosystem, primarily used on servers. The significant profit is available to the botnet operators. The resilience of the infrastructure can be foreseen that these mining activities will continue advancing along with the widely probable impacts on the infected nodes, which can further be expected to be common and continue growing in size.

Reference Source: Guardicore

Smominru by


This was all about Smominru- The largest mining BOTNET to date. Are you also Terror-struck? Well, this was one of the threats present in this technology-driven world. There are millions of potential attacks that can ruin your systems within a millisecond. Two of such malwares which pose a grand threat to the Government and the organizations are AZORut and Revenge RAT. Malwares that threat the government. Quite incredible. Right? Know everything about them- Visit

- Advertisement -

An Architect by profession & practice, Pranita is a keen observer and specialises in content, visualisation, and presentation. Cyber attacks & Architecture Technology in the far more technologically-advanced world made her realise that there is a lack of necessary awareness among people. Hence, keeping you all updated and protected by all means with subjects from Architecture Technology to Security Awareness.Currently working as a Head of Content, content writer & creator at BLARROW.TECH

- Advertisement -

Latest articles

Related articles