Well-known Monero mining malware modified to steal user data

Monero (XMR), the privacy-oriented cryptocurrency, has been plagued by mining malware issues again. Carbon Black, an online security firm, revealed in a report that its Threat Analysis Unit found “a secondary component” in a well-known malware program called “Smominru.” The malware script had been modified to “steal system access information for possible sale on the dark web.” This malware has already infected half a million computers.

According to the researchers:

“This discovery indicates a bigger trend of commodity malware evolving to mask a darker purpose and will force a change in the way cybersecurity professionals classify, investigate and protect themselves from threats.”

Smominru was initially detected in May 2017 and was also detected in January 2018. Last year, researchers at security firm, Proofpoint, confirmed that Smominru had been using a National Security Agency (NSA) exploit. This exploit, known as EternalBlue, infects computers with XMR mining malware.

Regarding the latest iteration of the malware, Carbon Black discovered the modifications when they found “unusual activity” across several endpoints. They found sophisticated, multi-stage malware that was sending detailed system metadata to a network of hijacked web servers.” Back in September 2018, the Monero community members released a blog post condemning all such XMR mining malware attacks:

“[We] condemn this malicious, non-consensual use of equipment to mine (XMR) … The Monero community does not want to sit idly by as victims struggle to understand the impact of mining and ransomware.”