A new security report indicates that the KingMiner crypto-mining operation is back in the game with new attacks against MSSQL (Microsoft SQL) databases.
Owners of such databases should secure their servers, as Sophos researchers detected brute-force attacks attempting to guess the password for the “sa”, or server administrator account.
Once attackers succeed to break into the targeted MSSQL database, they create a new database user dubbed “dbhelp”. The next step of this malicious operation is installing the well-known KingMiner cryptocurrency miner that leverages the resources of the server.
The Latest Attacks of the KingMiner Botnet
According to Sophos report (PDF), “KingMiner is an opportunistic botnet that keeps quiet and flies under the radar”. Its operators are resourceful but they do have limited resources, as visible by the freely available tools and concepts they include in their operations. Active since 2018, the botnet recently started to experiment with the EternalBlue exploit.
The infection process may use a privilege elevation exploit (CVE-2017-0213 or CVE2019-0803) to prevent the operating system from blocking their activities. The operators prefer to use open source or public domain software (like PowerSploit or Mimikatz) and have enough skills to make customization and enhancements to the source code. They also use publicly available malware families like the Gh0st RAT or the Gates backdoor.
Other techniques deployed by the gang include DLL side-loading, and DGA (domain name generator algorithm) to automatically change the hosting domains on a weekly basis.
One of the most peculiar things in these recent attacks is that KingMiner operators “patch” systems against the BlueKeep vulnerability:
If the infected computer is not patched against the Bluekeep vulnerability, KingMiner disables the vulnerable RDP service in order to lock out competing botnets.
In November 2018, KingMiner was once again targeting Microsoft Servers, mostly IIS\SQL, attempting to guess their passwords by using brute-force attacks. Once access was obtained, the malware would download a Windows Scriptlet file (.sct) and execute it on the victim’s computer. The analysis showed that the miner was configured to use 75% of the CPU capacity of the infected machine. However, coding errors would in fact make it to 100% utilization of the CPU.
As for the mining pool of the malware, it was private and the API had been turned off, with the wallet never been used in public mining pools. This made it rather impossible for researchers to track the domains that were in use, or to define the quantity of mined Monero coins.