
Malware stops you getting infected (…Again)
A new TTP is observed in Smominru malware.
Smominru malware was first observed in 2017 primarily used as a cryptomining botnet. Its large payloads allow for many features, including credential theft and wormable capabilities, spreading across Windows 7 and Server 2008. It has been documented to have many propagation techniques, in particular the EternalBlue exploit.
EternalBlue exploited the SMB vulnerability CVE-2017-0144 which was used by WannaCry. It is a well-documented vulnerability and regularly exploited.
Interestingly, Smominru has been observed with a new TTP (Tools, Techniques, Procedures). And while it is not an entirely new TTP and observed by other malware or threat actors in the past, it is a technique rarely discussed and one of interest.
Once Smominru infects a machine and performs its standard process, such as information collection and further propagation, it begins cryptomining, using the victims compute resources to generate digital currency for the attackers.
Cryptomining can be a heavy use of resources, and anything that slows the machine down is bad for business, such as additional malware. It is not uncommon to see vulnerable machines, including websites infected with multiple variants of malware and used by different threat actors.
So, to prevent other Threat Actors and malware gaining access, Smominru shuts down the same ports used by EternalBlue to prevent further infection. In essence, helping the victim… kind of.