Key Findings from Access Mining Investigation
CB TAU had been investigating the behaviors of a known cryptomining campaign, Smominru, and discovered that the threat actor evolved their cryptomining capabilities with additional tools for collecting and exfiltrating sensitive information from victim computers to various file transfer protocol (FTP) servers running on compromised infrastructure.
Prompted by the discovery of new dredge-net style information collection and remote access components associated with the Smominru campaign, TAU asked the question, “Why would a cryptomining campaign need to extract sensitive information and leverage a RAT?”
This question led to the hypothesis that these systems were being profiled for the purpose of selling access to buyers interested in that type of machine, especially any machine that happens to be located within a particular company of interest. Furthermore, based on the evidence uncovered, this campaign has been actively underway for the past two years, infecting systems en-masse and actively spreading by way of EternalBlue.
Through the course of this investigation, we believe we have discovered in the wild all the elements that would be required to successfully execute an end-to-end Access Mining campaign. While we cannot conclude that the threat actor in question is definitively selling access to targeted hosts, we do believe that the findings below are consistent with this behavior and demonstrate that such a complex and dangerous campaign is plausible.