The researchers at Israeli Cybersecurity firm recently found that Kingminer, a cryptojacking malware is constantly upgrading it’s system to escape detection and increase chance of success. It will continue to update which will invariably make detection tougher. The malware’s prey are servers developed by Microsoft especially Internet Information Services (IIS) and SQL Server. It uses brute force attacks to get the password of the users and compromises the server during the initial phase of the attack.
Firstly, it gains access and downloads the Windows Scriplet file and then executes it on the machine. Secondly, machine’s CPU architecture is detected and if in case older versions of attacks are found, they are deleted. Lastly, KingMiner downloads a file with a .zip extension to bypass emulation attempts.
After extracting the new registry keys are created by malware payload and Monero-mining XMRig file is executed. Ideally, XMRig CPU miner uses 75% of the CPU capacity but can exceed this as result of coding errors. KingMiner is taking ample measures to prevent its activities from gaining attention and protecting identities of it’s creators
“It appears that the KingMiner threat actor uses a private mining pool to prevent any monitoring of their activities. The pool’s API is turned off, and the wallet in question is not used in any public mining pools. We have not yet determined which domains are used, as this is also private.”
In the wake of Growing Attacks
Check Point Software Technologies observes that even as detection engines report reduced detection rates of KingMiner, a steady increase in the malware’s attack attempts have been noted.
In November, TCU reported that McAfee labs discovered WeCobra.
McAfee Labs said that the Russian application WebCobra installs the Cryptonight miner or Claymore’s Zcash miner. As stated by McAfee labs,”
“On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor,” McAfee observed. “On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.”