Cryptocurrency mining, or cryptojacking for short, is one of the major cybersecurity threats aimed at both individual users and enterprises, entire networks included. According to statistics, one in three organizations has been targeted by cryptocurrency miners.
The number of cryptocurrency miners (or cryptominers) has been increasing, with new infections being uncovered on a daily basis. KingMiner is the name of the latest such threat discovered by Trend Micro researchers.
More about the KingMiner Cryptominer
KingMiner is mining the Monero cryptocurrency and is targeting Windows servers. It was first detected in the wild in the middle of June, and quickly after that improved versions were released in the wild. Whoever is behind the miner is using various evasion techniques, which leads to significantly reduced detection rates, the researchers said. Moreover, the rise of infection is growing steadily.
KingMiner specifically targets Microsoft Servers, mostly IIS\SQL, and attempts to guess their passwords by using brute-force attacks. Once access is obtained, the malware downloads a Windows Scriptlet file (.sct) and executes it on the victim’s computer. The file is performing the following operations:
- The file detects the relevant CPU architecture of the machine.
- If older versions of the attack files exist, it kills the relevant exe file process and deletes the files themselves.
- A payload ZIP file (zip\64p.zip) is downloaded based on the detected CPU architecture. It should be noted that is not an actual ZIP file but rather an XML file which will bypass emulation attempts.
- The XML payload includes a Base64 blob which, once encoded, will result in the intended “ZIP” file.
In case older versions of the malware files are detected on the targeted machine, they will be deleted by the new, currently active version. Upon extraction, KingMiner will create a set of new registry keys and will execute an XMRig miner file which is specified for Monero mining.
The analysis shows that the miner is configured to use 75% of the CPU capacity of the infected machine. However, coding errors will actually make it to 100% utilization of the CPU.
As for the mining pool of the malware, it is private and the API has been turned off, and the wallet has never been used in public mining pools. This makes it rather impossible for researchers to track the domains that are in use, or to define the quantity of mined Monero coins.
Who’s targeted? Researchers say that they can see that the attack is currently widely spread, from Mexico to India, Norway and Israel.
KingMiner is an example of evolving cryptocurrency mining malware that can bypass common detection and emulation systems, Trend Micro says. The researchers predict that more attacks of this type will be seen in the future.