A malware used to mine the Monero cryptocurrency is relying on constant improvements to avoid detection and increase the chances of success. According to researchers at Israeli cybersecurity firm Check Point Software Technologies, the malware which is known as KingMiner will likely continue getting updated…
A malware used to mine the Monero cryptocurrency is relying on constant improvements to avoid detection and increase the chances of success.
According to researchers at Israeli cybersecurity firm Check Point Software Technologies, the malware which is known as KingMiner will likely continue getting updated in the future in order to increase the probability of successful attacks. This will inevitably make detection even harder.
KingMiner, which mostly targets servers developed by Microsoft specifically Internet Information Services (IIS) and SQL Server, employs brute force tactics to guess the passwords of the users with a view of compromising the server during the initial phase of the attack.
Upon gaining access, a Windows Scriptlet file (with the file name extension .sct) is downloaded before being executed on the machine of the victim. In the execution stage, the machine’s CPU architecture is detected and if older versions of the attack files are found, the new infection deletes them. KingMiner then goes on to download a file with .zip extension – this is not a ZIP file though but an XML file. The point here is to bypass emulation attempts.
It is only after extraction that new registry keys are created by the malware payload and Monero-mining XMRig file executed. By design, the XMRig CPU miner is intended to use about 75% of the CPU capacity but can exceed this as a result of coding errors.
KingMiner has been able to avoid detection by employing relatively simple mechanisms such as obfuscation and executing the executable file only in order to leave no trace of activity. Additionally, KingMiner is taking extreme measures to prevent its activities from being monitored or its creators getting traced:
“It appears that the KingMiner threat actor uses a private mining pool to prevent any monitoring of their activities. The pool’s API is turned off, and the wallet in question is not used in any public mining pools. We have not yet determined which domains are used, as this is also private.”
But even as detection engines report reduced detection rates of KingMiner, a steady increase in the malware’s attack attempts have been noted, according to Check Point Software Technologies.
The report by the researchers at Check Point comes at a time when incidences of cryptojacking across the globe are reported to have increased. In September, CCN reported that cryptojacking had risen by 86% in the second quarter of this year as per McAfee Labs.
At the time, McAfee Labs indicated that the targets of the cryptojacking malware were not just personal computers but were increasingly smartphones and other mobile devices with an internet connection, an indication that bad actors were casting their net as wide as possible in the face of falling cryptocurrency prices.
Featured image from Shutterstock.
Last modified: January 24, 2020 10:53 PM UTC