One of the largest and most profitable cryptocurrency mining botnets, Smominru spreads using the NSA-attributed EternalBlue and EsteemAudit exploits leaked by the Shadow Brokers. As of February 1st, 2018, Smominru had infected more than 526,000 machines, primarily in Russia, India, and Taiwan.
EternalBlue, which leverages a vulnerability in the Microsoft Server Message Block (SMB) Protocol (CVE-2017-0144), was responsible for the massive WannaCry ransomware outbreak in May 2017.
Esteem Audit leverages a Remote Desktop Protocol vulnerability (CVE-2017-0176) to compromise targets running MSSQL databases on Windows servers and MySQL databases on Linux servers.
Once implanted, Smominru deploys a cryptocurrency miner executable named Ismo.exe and uses the Windows Management Infrastructure (WMI) to maintain persistence.
Products sold by OpenVault are for entertainment and educational purposes only. Customer’s are purchasing a physical copy of digital artwork (Software box).