mineração criptomoeda, ou cryptojacking para breve, é uma das maiores ameaças de segurança cibernética destinadas a ambos os usuários individuais e empresas, redes inteiras incluído. De acordo com as estatísticas, um em cada três organizações tem sido alvo de mineiros criptomoeda.
The number of mineiros criptomoeda (or cryptominers) has been increasing, with new infections being uncovered on a daily basis. KingMiner is the name of the latest such threat descoberto by Trend Micro researchers.
More about the KingMiner Cryptominer
KingMiner está explorando a criptomoeda Monero e tem como alvo os servidores Windows. Foi detectado pela primeira vez na natureza em meados de junho, and quickly after that improved versions were released in the wild. Whoever is behind the miner is using various evasion techniques, which leads to significantly reduced detection rates, os pesquisadores disseram. Além disso, the rise of infection is growing steadily.
KingMiner specifically targets Microsoft Servers, principalmente IIS SQL, and attempts to guess their passwords by using brute-force attacks. Once access is obtained, the malware downloads a Windows Scriptlet file (.sct) and executes it on the victim’s computer. The file is performing the following operations:
- The file detects the relevant CPU architecture of the machine.
- If older versions of the attack files exist, it kills the relevant exe file process and deletes the files themselves.
- A payload ZIP file (zip\64p.zip) is downloaded based on the detected CPU architecture. It should be noted that is not an actual ZIP file but rather an XML file which will bypass emulation attempts.
- The XML payload includes a Base64 blob which, once encoded, will result in the intended “ZIP” file.
In case older versions of the malware files are detected on the targeted machine, they will be deleted by the new, currently active version. Upon extraction, KingMiner will create a set of new registry keys and will execute an XMRig miner file which is specified for Monero mining.
The analysis shows that the miner is configured to use 75% da capacidade da CPU da máquina infectada. Contudo, coding errors will actually make it to 100% utilização da CPU.
Quanto ao pool de mineração do malware, it is private and the API has been turned off, and the wallet has never been used in public mining pools. This makes it rather impossible for researchers to track the domains that are in use, ou para definir a quantidade de moedas Monero extraídas.
Who’s targeted? Researchers say that they can see that the attack is currently widely spread, from Mexico to India, Norway and Israel.
KingMiner is an example of evolving cryptocurrency mining malware that can bypass common detection and emulation systems, Trend Micro diz. The researchers predict that more attacks of this type will be seen in the future.