In this year, 2018 Crypto-mining attack have grown and evolved rapidly. With the enhancement or rise in popularity of crypto currencies, hackers are mainly motivated to exploit CPU power of victim’s machine for performing the crypto-mining operations. Recently, team of security analysts have discovered the sample of a new crypto-mining malware named New KingMiner that forces to access to Windows servers to use CPU cycles for mining the Monero coins.
Detailed Researchers Report on New KingMiner
New KingMiner has been detected by security analyst six months ago. The activity of such a crypto-mining malware went through the several evolution stages. It was detected in the mid of June and till now New KingMiner has received two updates and number of malware attacks keep increasing. The CheckPoint researchers gave it named New KingMiner because they found that it targets SQL Servers and Microsoft IIS and executes brute-force attack in order to gain access. As soon as KingMiner gets inside the PC, malware determines CPU architecture and checks for the older version.
In-Depth Evolution Information of KingMiner
KingMiner belongs to worst crypto-mining malware that relies on freely available XMRig miner to create the coins of Monero with the configuration file that includes private mining pool with API disabled to keep them away from humans prying eyes. KingMiner is configured to use about 75% of CPU resources but actually it uses 100% of processor. This crypto-mining malware implements various defenses against the detection and emulation environments.
From June to October, KingMiner is continued to improve by moving to the obfuscated payload and the modified configuration file. All modifications led to the low detection rate. To stay hidden from the security products, it counts on the simple methods. Based on it’s behavior and rapidly growing phase, security analysts are predicted that KingMiner will also continue to evolve in 2019.
Distribution Tactics of KingMiner
KingMiner uses lots of deceptive ways and social engineering tactics to compromise user PC but some of the most common detection methods are :
- Executable, powered.exe that exports functions from DLL files.
- Obfuscated 32p/64p.zip files that includes basic XML format data.
- Decode x.txt/y.png into XMRig CPU Miner executable file.
- Add md5.txt content to DLL files and many more.