General security

Cryptocurrency mining botnets on the rise

Pierluigi Paganini
February 7, 2018 by
Pierluigi Paganini


The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Let's see together what's happened during the last weeks.

The Smominru botnet

Recently malware researchers at security firm Proofpoint have discovered a vast botnet dubbed 'Smominru' (also known as Ismo) that is using the NSA-linked EternalBlue exploit (CVE-2017-0144) to infect Windows computers and abuse their resources to mine Monero cryptocurrency.

"Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive, cybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them for free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power of which had earned millions of dollars for its operators," states the analysis published by Proofpoint.

The experts were able to conduct a sinkholing activity with the help of Abuse.CH and the ShadowServer Foundation that allowed them to analyze the botnet and its dimension.

The investigation revealed that the Smominru botnet uses a command and control infrastructure that is hosted on DDoS protection service SharkTech. The experts reported the discovery to the hosting provider that ignored their notification.

Proofpoint is monitoring the botnet since May 2017; the malicious code has already infected more than 526,000 Windows computers worldwide.

Figure 1 - Smominru Infection Map (ProofPoint)

Most of the infected systems are servers; this is not a surprise considering that attackers aim to infect such kind of machines due to their computing power. The researchers observed infections worldwide, most of them in Russia, India, and Taiwan.

It has been estimated that the Smominru botnet had already mined approximately 8,900 Monero ($2,346,271 at the current rate).

"Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz," the researchers said. "The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week (Figure 2)."

Figure 2 - Smominru Stats and Payments on the MineXMR mining pool

The researchers who analyzed the propagation process discovered that cybercriminals are using at least 25 dedicated servers to scan the Internet for EternalBlue vulnerable Windows computers and also leveraging the NSA EsteemAudit (CVE-2017-0176) for compromising them.

All the hosts involved in the scanning activities appear to sit behind the network autonomous system AS63199.

"Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity. The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations," concluded the Proofpoint.

"Given the significant profits available to the botnet operators and the resilience of the botnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We also expect botnets like that described here to become more common and to continue growing in size."

Old threats, a new way to monetize: the DDG Botnet

Smominru is not the single huge botnet that is used to mine cryptocurrencies, while Proofpoint was disclosing its technical details, researchers from Qihoo 360's NetLab discovered another massive mining activity conducted by the DDG botnet.

The DDG botnet was first detected in 2016; its operators have continuously updated it throughout 2017, it is currently one of the most massive mining botnets.

According to the researchers at Qihoo 360's NetLab, the DDG botnet was involved in Monero-mining abusing Redis and OrientDB servers.

"Starting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis found that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it DDG.Mining.Botnet after its core function module name DDG" reads the analysis published by NetLab.

The earnings are very interesting, the malicious code has already infected nearly 4,400 servers and mined over $925,000 worth of Monero since March 2017.

The bot scans the Internet for vulnerable machines, it attempts to exploits the remote code execution vulnerability CVE-2017-11467 in OrientDB database servers and targets Redis servers via a brute-force attack. Crooks are focusing their efforts on attacks against servers that usually have more "hash power."

Once the target server is accessed, the attackers deliver the malicious payload.

The attack chain described by the researchers from Qihoo 360's Netlab is composed of the following steps:

  • Initial Scanning: The attacker (ss2480.2) exploits the known RCE vulnerability of the OrientDB database and drops the attack payload
  • Stage 1: Attackers modify local Crontab scheduled tasks, download and execute (hxxp: // on the primary server and keep it synchronized every 5 minutes
  • Stage 2: DDG traverses the built-in file hub_iplist.txt, check the connectivity of every single entry and try to download the corresponding Miner program wnTKYg from the one can be successfully connected (wnTKYg.noaes if the native CPU does not support AES-NI)
  • Mining Stage: The Miner program begins to use the computing resources of the compromised host to begin mining for the attacker's wallet.

Figure 3 - DDG Mining Botnet attack process

The experts conducted sinkholing of the botnet traffic and observed 4,391 IP addresses of compromised servers from all countries. Most of the infections are in China (73%), followed by the United States (11%).

The researchers noticed that the botnet is mainly composed of compromised Redis databases (88%).

Cybercriminals are using three wallet addresses, the botnet mined 3,395 Monero ($925,000), but researchers also discovered another wallet containing 2,428 Monero ($660,000).

"The total income is Monroe 3,395 or 5,760. These tokens are worth USD 925,383 or 1,569,963 today. Note: There is an issue for the second wallet, where "Total Paid" is not consistent with the summary of all tractions' amount. We cannot confirm which number is more accurate, so we show both numbers here," continues the analysis.

Cryptocurrency mining botnets go mobile

The availability of a large number of poorly protected mobile devices represents an excellent opportunity for cybercriminals that intend to build their own mining botnet.

Security researchers at Qihoo 360's NetLab have recently spotted a new Android mining botnet dubbed ADB.A miner that is targeting Android devices by scanning for open ADB debugging interface (port 5555).

Cybercriminals are infecting smartphones, tablets, and smart TV set-top boxes with a Monero, cryptocurrency miner.

The port 5555 is the working port ADB debug interface on Android device that should be shut down normally. The devices infected by ADB.miner are devices where users or vendors have voluntary enabled the debugging port 5555.

"Spread of time: the earliest time of infection can be traced back to near January 31. This current wave of helminthic infections has been detected by our system from around 15:00 on the afternoon of 2018-02-03 and is still on the rise," reads the analysis published by Netlab.

"Infected port: 5555, is the working port adb debug interface on Android device, the port should be shut down normally, but unknown part of the cause led to the wrong port opened."

Starting from February 3, 2018, the expert noticed a rapid growth of the volume of scan traffic on port 5555 associated with the ADB.Miner:

Figure 4 - Scan Traffic on Port 5555

Once the ADB.Miner has infected a device; the compromised system starts scanning the Internet for other devices to infect.

According to the experts, ADB.miner borrowed the scanning code implemented by the Mirai botnet; this is the first time that an Android threat uses the Mirai code.

The researchers did not reveal the way the malware infects the Android devices; it is likely it exploits a flaw in the ADB interface.

The number of infected devices is rapidly growing, according to different caliber statistics, there are 2.75 ~ 5.5k, and this figure is rapidly growing.

The two sources reported by NetLab are:

  • Statistics from scanmon: 2.75k, mainly from China (40%) and South Korea (31%).
  • Statistics from our botnet tracking system: 5.5k

At the time of writing the number of ADB.miner scans reached 75,900 unique IP addresses.

Figure 5 - ADB.miner scanning activities

Experts observed that the majority of IP addresses scanning the port 5555 are located in China (~40%) and South Korea (~30%).

The operators of the botnet are using the following Monero wallet address:


That still has not received the first payment for the mine.


Cryptocurrency miners are not a novelty in the threat landscape, but in the last months, their impact is becoming even more dangerous.

Malware developers are focusing their efforts in developing mining scripts, cryptocurrency miners and mining botnets. As principal cryptocurrencies have become resource-intensive to mine, crooks are using any means to compose huge botnet that can allow them to monetize their operations quickly.

A trend in mining botnet is the use of malicious code specifically designed to exploit vulnerabilities in servers with significant hash power.

The diffusion of these malicious codes is particularly dangerous for companies, the infection could have a significant impact on their operations, for this reason, we cannot underestimate these phenomena.

It is easy to predict the rapid spread of mining botnets and the growth of their size.


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.