Researchers at Proofpoint have been tracking a massive distributed botnet dubbed Smominru, a Monero cryptocurrency miner, that spreads using the EternalBlue Exploit (CVE-2017-0144).
Since May of last year, Smominru has earned cyber criminals millions of dollars by infecting Windows computers to increase the size of its botnet.
At least 25 hosts were launching the attacks via EternalBlue, an SMB vulnerability that was part of the Microsoft security bulletin and fix (MS17-010).
“The miner’s use of Windows Management Infrastructure is unusual among coin mining malware,” Proofpoint said in the blog post.
Proofpoint further noted that that attackers may be using another malicious tool called EsteemAudit, that exploits CVE-2017-0176, a vulnerability in the Windows Remote Desktop Protocol (RDP) on Windows XP and Windows Server 2003.
Palo Alto Networks wrote up a detailed report on EsteenAudit, another tool released in a ShadowBrokers dump, last May.