From 3ad7e412a431031573f49ee39e92b3581a0ee169 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 1 Feb 2018 14:29:06 +0100
Subject: [PATCH] add Smominru

---
 clusters/banker.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/banker.json b/clusters/banker.json
index aac1f81..f12e8ca 100644
--- a/clusters/banker.json
+++ b/clusters/banker.json
@@ -511,6 +511,19 @@
           "https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/"
         ]
       }
+    },
+    {
+      "value": "Smominru",
+      "description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss  its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators"
+        ],
+        "synonyms": [
+          "Ismo",
+          "lsmo"
+        ]
+      }
     }
   ],
   "version": 7,