A new malware has been observed that aims to enrol devices into botnets, known alternatively as Smominru or WannaMine, for the purpose of mining cryptocurrency.
Smominru and WannaMine are very similar, with only slight differences during operation. Both are fileless, using the Windows Management Instrumentation scripting application to maintain persistence across reboots, and use the EternalBlue SMB exploit to propagate. WannaMine will deploy the Mimikatz credential harvester before moving to another device.
Unlike other cryptomining malware, Smominru/WannaMine heavily impact a system’s resources. The attackers behind them appear to prefer mining as fast as possible, overusing the CPU to the point that the system may crash.