(https://cryptovest.com/images/thumbs/5c0ea8a14ad62400086db425_700x350.png)
Malware used to mine Monero on infected Windows Servers has evaded detection by relying on a complicated self-improvement algorithm. In a paper published this week, researchers at the Israeli cybersecurity firm Check Point Software Technologies have identified the cryptojacker software KingMiner and warned that it would likely continue to see updates, making it even harder to detect.
KingMiner, which mainly targets SQL Server and Internet Information Services (IIS) servers, relies on brute force methods to guess the password of the users and compromise the machine during the initial phase of the attack. The malware was initially discovered in mid-June 2018, with two improved versions being released shortly after. The Israeli researchers expect the number of KingMiner attacks to increase.
“The attacker employs various evasion techniques to bypass emulation and detection methods, and, as a result, several detection engines have noted significantly reduced detection rates. Based on our analysis of sensor logs, there is a steady rise in the number of KingMiner attack attempts.”
Method of Attack
The malware gains access then downloads and executes the Windows Scriplet file before detecting the infected machine’s CPU architecture. The software is also capable of detecting and deleting older versions of itself. KingMiner then downloads an XML file, masked as a ZIP archive to bypass emulation attempts.
After the extraction is completed, KingMiner creates new registry keys and executes a Monero-mining XMRig file. Although the malware limits its consumption to 75% of the CPU capacity, bad code could result in higher consumption.
Although the malware employs relatively simple evasion methods – such as obfuscating and executing the executable file only – those techniques seem to significantly decrease detection rates. The creators of KingMiner have also taken additional measures to avoid being traced, and the researchers were also unable to identify their precise location or identity.
“It appears that the KingMiner threat actor uses a private mining pool to prevent any monitoring of their activities. The pool’s API is turned off, and the wallet in question is not used in any public mining pools. We have not yet determined which domains are used, as this is also private. However, we can see that the attack is currently widely spread, from Mexico to India, Norway and Israel.”
New Wave of Cryptojacking
Although in October of this year cryptojacking attacks were seen as being on the decline, it now appears that a second wave of attacks is sweeping over crypto communities – and this time the malware appears to be much harder to detect. Last week, security researcher VriesHD published a study showing that over 400,000 routers worldwide were infected by a new cryptojacking software. VriesHD believed WiFi routers to be preferred as a significant portion of them were provided by ISPs to users with limited technical knowledge.
According to Check Point Software, KingMiner is an ‘example of evolving crypto-mining malware’, capable of avoiding common detection and emulation systems. Researchers predict that such attacks will continue to grow and evolve during 2019, and will become a major component in crypto-mining attacks.
Source: CRYPTOVEST (https://cryptovest.com/news/researchers-discover-next-gen-cryptojacking-malware/)