KingMiner Maxes Out Windows Server CPUs in Widespread Cryptomining Campaign

December 6, 2018 @ 9:00 AM
| |
2 min read

Researchers spotted a new cryptomining threat conducting brute-force attacks using 100 percent of Internet Information Services IIS/Structured Query Language (SQL) Microsoft Windows servers’ compute resources.

The malware, called KingMiner, is designed not to steal information but to harvest cryptocurrencies such as Monero, which require considerable processing power to crunch through the mathematical calculations behind them, according to researchers at Check Point.

KingMiner was first discovered this past June, but it has since spawned a new variant with even stronger cryptomining features that is now active in the wild.

Cryptomining Campaign Drains CPUs

Once it identifies its target, KingMiner attempts to guess the system’s password, then downloads and executes a Windows scriptlet file. In some cases, the malware is already active on the system, in which case the new version kills off its predecessor. Israel, Norway, Mexico and India are among the locations where the cryptomining campaign has successfully infected Windows machines, according to the researchers.

KingMiner uses a file called XMRig to mine Monero. Although it was designed to use up only 75 percent of a victim’s machine, in practice, it drains the entire capacity of the central processing unit (CPU) due to coding errors.

The cybercriminals behind KingMiner also take pains to avoid detection. By avoiding any public mining pools with its cryptocurrency wallet and turning off the application programming interface (API), for instance, it’s difficult to know how much Monero it has harvested so far. Emulation attempts, meanwhile, are bypassed through an XML file that has been disguised as a ZIP file within the payload. Additional evasion techniques include exporting functions and adding content to the executable’s dynamic link library (DLL) files.

How to Keep Cryptomining Malware at Bay

The researchers noted that KingMiner is likely to continue its evolution based on placeholders they found in the code for future updates and versions.

Cybercriminals are increasingly interested in mining cryptocurrency it requires less social engineering and malware can run quietly in the background. Eliminating threats such as KingMiner depends on widespread adoption of security information and event management (SIEM) technology and improved network endpoint protection.

Source: Check Point

Shane Schick
Writer & Editor
Shane Schick is a contributor for SecurityIntelligence.
Think On Demand banner
Think banner ad
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00