New Case Study: Threat Hunter finds renamed system utilities by file hash to uncover multiple attacks   

Read Case Study

Search

KingMiner Malware Variant

November 29, 2018

The KingMiner malware was first seen in June this year, however a new variant has surfaced in the wild. Researchers have observed wide spread attacks from Mexico to India and Norway to Israel. KingMiner will typically target ISS/SQL Microsoft servers with brute force attacks to gain credentials in order to compromise a server. Once KingMiner gains access to the machine, it will download a .sct Windows Scriptlet file and execute it on the victim’s machine. This script has the ability to use a tailored payload depending on the CPU that is being affected. The script begins by scanning the architecture of the CPU and then downloads the tailored payload. The payload appears to be a .zip file, however it is an XML file that will “bypass emulation attempts.” If the malware detects older versions of the attack files on the machine, the new variant will delete them, allowing the new variant to have as much power as it wants. The miner was configured to use 75 percent of the CPU, but due to coding flaws, the miner uses 100 percent. Once extracted, KingMiner’s payload will create a new set of registry keys and will execute an XMRig miner file for Monero mining. The mining pool used by KingMiner is currently private with the API turned off. This allows whomever is behind these attacks to remain secretive. In addition to these privacy settings, the wallet that the currency is transferred to has never been seen in a public mining pool, making it impossible to track the total amount of money that has been stolen using KingMiner, or to know what domains are in use.

Because KingMiner uses brute force to gain victim’s credentials, users are advised to ensure that their password is strong. Using stronger passwords can make it harder for the brute force attack. Users can also use 2FA (two factor authentication) since KingMiner scans frequently. 2FA adds more protection for the user since it requires two steps to login. Carrying out frequent scans of machines will also allow users to know if they are infected by any crypto-mining malware or other issues. Checking the computing power of a machine can also help users alert to crypto-mining malware if they notice they are using a lot of CPU doing simple tasks or when the machine is sitting dormant.

Analyst Notes

Because KingMiner uses brute force to gain victim’s credentials, users are advised to ensure that their password is strong. Using stronger passwords can make it harder for the brute force attack. Users can also use 2FA (two factor authentication) since KingMiner scans frequently. 2FA adds more protection for the user since it requires two steps to login. Carrying out frequent scans of machines will also allow users to know if they are infected by any crypto-mining malware or other issues. Checking the computing power of a machine can also help users alert to crypto-mining malware if they notice they are using a lot of CPU doing simple tasks or when the machine is sitting dormant.