Crypto Scams

Crypto Scams | Cryptojacking Malware KingMiner Escapes Detection to mine Monero


The researchers at Israeli Cybersecurity firm recently found that Kingminer, a cryptojacking  malware is constantly upgrading  it’s system to escape detection and increase chance of success. It will continue to update which will invariably make detection tougher. The malware’s prey are servers developed by Microsoft especially Internet Information Services (IIS) and SQL Server. It uses brute force attacks to get the password of the users and compromises the server during the initial phase of the attack.

Improvised Version

Firstly, it gains access and downloads the Windows Scriplet file and then executes it on the machine. Secondly, machine’s CPU architecture is detected and if in case older versions of attacks are found, they are deleted. Lastly, KingMiner downloads a file with a .zip extension to bypass emulation attempts.

After extracting the new registry keys are created by malware payload and Monero-mining XMRig file is executed. Ideally, XMRig CPU miner uses 75% of the CPU capacity but can exceed this as result of coding errors. KingMiner is taking ample measures  to prevent its activities from gaining attention  and protecting identities of it’s creators


“It appears that the KingMiner threat actor uses a private mining pool to prevent any monitoring of their activities. The pool’s API is turned off, and the wallet in question is not used in any public mining pools. We have not yet determined which domains are used, as this is also private.”

In the wake of Growing Attacks

Check Point Software Technologies observes that even as  detection engines report reduced detection rates of KingMiner, a steady increase in the malware’s attack attempts have been noted.

In November, TCU reported that McAfee labs discovered WeCobra.

McAfee Labs said that the Russian application WebCobra installs the Cryptonight miner or Claymore’s Zcash miner. As stated by McAfee labs,”

“On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor,” McAfee observed. “On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.”




Related Articles

Romanian Crypto Scammers Deported to the United States


SEC penalizes two Crypto Startups for running Illegal ICOs


Twiterrati in a frenzy over alleged 51% Attack on Ethereum Classic