A global botnet dubbed “Smominru” has been secretly mining Monero on infected machines and making millions of dollars for its owners, according to research from Proofpoint.
The operators have mined about 8,900 Monero valued at up to $3.6 million at a rate of 24 Monero ($8,500) per week.
Researchers have watched the Smominru botnet spread since May 2017. Now including over 526,000 infected Windows hosts, Smominru uses EternalBlue, a Windows exploit developed by the NSA and leaked by the hacking group Shadow Brokers.
The Smominru botnet’s command and control infrastructure is hosted behind SharkTech, a hosting and DDoS protection service, that reportedly ignored repeated abuse notification.
SharkTech did not respond to a request for comment.
“This Monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe,” Kevin Epstein, a vice president of threat operations at Proofpoint, said in a release. “Taking down the botnet is very difficult given its distributed nature and the persistence of its operators. For businesses, preventing infection through robust patching.”
Cryptojacking is the practice of using infected machines to mine cryptocurrency without a user’s authorization, resulting in overloaded CPUs and crashed processes. It’s an increasingly popular and lucrative line of business for criminals; cryptojacking software known as Coinhive is the most prevalent malware online today.
Monero is a cryptocurrency with a much stricter focus on privacy than more popular currencies like bitcoin. Experts have long predicted and seen cybercriminals move toward Monero because it’s easier for hackers to earn big scores without being caught by police. Smominru is one of the most lucrative signs yet of Monero’s adoption in the criminal underground.
New research from Cisco’s Talos division suggested large, organized cryptojacking botnets can pull in tons of money. A typical PC generates about $0.28 worth of Monero per day, meaning that large botnets can bring it up to $100 million per year.