Delaware, USA – November 30, 2018 – KingMiner is a cryptocurrency mining malware that attacks mostly IIS\SQL Servers. It was discovered six months ago, and since that the malware authors continuously add new features and bypass methods to avoid emulation. Researchers from Check Point discovered a new campaign spreading KingMiner cryptojacker. The malware conducts brute force attacks against Microsoft servers. When the password is guessed, the SCT file is downloaded and executed on the attacked system. The scriptlet detects CPU architecture and downloads a payload for the discovered CPU architecture, which includes XMRig CPU miner configuration file, the main executable file, DLL and binary blob files. After all files are extracted, EXE file is executed creating the XMRig miner file and registry keys. The DLL file contains several unused functions, which may be weaponized in further attacks. The XMRig component is configured to use 75 percent of CPU capacity, but it takes up 100% of the CPU power.
Threat actors behind this campaign use a private mining pool, so it is unknown how successful they are. However, the attacks target Windows Servers worldwide, and they can almost completely paralyze operations of a company. You can detect attempts of password guessing to your servers using Brute Force Detection rule pack that provides analysis of successful and unsuccessful authentication events from a wide variety of systems and services, starting at Hypervisor layer and all the way up to API layers: https://my.socprime.com/en/integrations/brute-force-detection-hpe-arcsight