Smominru Hidden Miner Infected Over 500k PCs

Smominru uses licked Nationa Security Agency exploit and mines Monero
02 February 2018   913

The exploit of the US National Security Agency (NSA) allowed the botnet virus Smominru, which mines XMR, to infect more than 526,000 personal computers. This is reported by Hacker News.

Researchers from the Proofpoint cybersecurity company, discovered a new global botnet called Smominru, also known as Ismo. It mines the Monero crypto currency using the EternalBlue exploit, which was allegedly developed by the NSA.

The EternalBlue exploit leaked into the network as a result of the actions of the hackers group Shadow Brokers, which is also responsible for the creation of the WannaCry ransomware.

The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes.

Proofpoint Researchers

The botnet Smominru infects computers since May 2017 and daily mines around 24 XMR. To date, the botnet managed to mine around 8900 XMR for a total of $ 2.1 million. The largest number of PCs infected with Smominru are from Russia, India and Taiwan.

The target of cybercriminals was a vulnerable version of Windows. They also used another NSA exploit called EsteemAudit.

According to the Hacker News, experts noted that the infrastructure for managing Smominru was detected on the service of protection against DDoS attacks SharkTech, but from its representatives to receive an answer so far failed.

Scammers to Replace MEGA Extension to Steal Crypto

MEGA is a popular file exchange service; scammers were able to replace its official Google Chrom extension
05 September 2018   433

The popular file-sharing service MEGA reported a hacker attack. Attackers managed to replace the official Chromme extension of the service and to collect data on users' crypto-currency wallets.

On 4 September 2018 at 14:30 UTC, an unknown attacker uploaded a trojaned version of MEGA's Chrome extension, version 3.39.4, to the Google Chrome webstore. Upon installation or autoupdate, it would ask for elevated permissions (Read and change all your data on the websites you visit) that MEGA's real extension does not require and would (if permissions were granted) exfiltrate credentials for sites including amazon.com, live.com, github.com, google.com (for webstore login), myetherwallet.com, mymonero.com, idex.market and HTTP POST requests to other sites, to a server located in Ukraine. Note that mega.nz credentials were not being exfiltrated.

MEGA Blog

Thus, attackers could get access to the popular cryptocurrency wallets MyEtherWallet and MyMonero. Also, users' funds on the decentralized IDEX exchange are under the thread too.

Representatives of the file sharing company stressed that the fake extension was replaced by a genuine one four hours after the substitution. And an hour later, Google reacted and removed the extension from the Chrome store. Note that at the time of publication, the MEGA extension for Chrome in the official store is still not available.

Earlier it was reported that users of MyEtherWallet, using the free VPN-plugin Hola, could become victims of a hacker attack.