The security company Proofpoint said in a blog post that since May last year, its researchers had been monitoring the miner that was infecting new Windows servers using the EternalBlue exploit, malware crafted by the NSA and leaked on the Web in April 2017 by a group known as the Shadow Brokers.
While Proofpoint researcher Kafeine said that the miner, which had been christened as Smominru or Ismo, was well-known, the fact that it was using Windows Management Infrastructure was unusual.
"Based on the hash power associated with the Monero payment address for this operation, it appears that this botnet was likely twice the size of Adylkuzz," he wrote.
Other researchers had noted attacks via Microsoft's SQL Server and EsteemAudit, an RDP vulnerability.
A sinkholing operation had provided an estimate of 526,000 infected Windows hosts, most of which were in Russia, India and Taiwan.
Kafeine said Proofpoint had contacted the mining pool MineXMR to request that that the existing Monero address associated with Smominru be removed, but though this was done after several days, the botnet operators were observed registering new domains and mining to a new address on the same mining pool.
On the bright side, the operators may have lost control over a third of the botnet as a result.
"Because most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical business infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity," Kafeine said.
"The operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to recover after sinkhole operations."
Kevin Epstein, vice-president of Threat Operations at Proofpoint, said: "We repeatedly see threat actors ‘follow the money’ - over the last several months, the money has been in cryptocurrency and actors are turning their attention to a variety of illicit means to obtain both Bitcoins and alternatives.
"This monero mining botnet is extremely large, made up mostly of Microsoft Windows servers spread around the globe.
"Taking down the botnet is very difficult given its distributed nature and the persistence of its operators. For businesses, preventing infection through robust patching regimens and layered security is the best protection from potentially disruptive impacts on critical infrastructure."
Graphic: courtesy Proofpoint