Cryptojacking malware KingMiner’s improvements help evade detection to mine Monero



Cryptojacking Malware KingMiner Evades Detection to Mine Monero Crypto Heroes

To continue mining Monero, cryptojacking malware KingMiner undergoes improvements which enable it to continually avoid detection, thus increasing the chances of mining the cryptocurrency successfully.

KingMiner to keep getting improvement

Researchers at Israeli cybersecurity firm Check Point Software Technologies published a report which pointed out that pointed out that KingMiner malware will continue to receive updates to ensure that it increases the probability of successful attacks. This feature will make it even harder for the malware to be detected.

KingMiner which is popularly known for targeting servers developed by Microsoft, usually Internet Information Services (IIS) and SQL Server now makes use of force tactics to predict the password of users and compromise their servers in the first phase of the attack.

Once the malware has gained access to the servers, a Windows Scriptlet file (with the file name extension .sct) will be downloaded before it is executed on the victim’s computer. During the execution, the computer’s CPU architecture is discovered, and if older versions of the malware files are located, the new version deletes them. The malware then proceeds to download another file .zip extension and makes use of it to bypass emulation attempts.

The malware payload waits until after extraction before the new registry keys are created, with the Monero-mining XMRig file executed afterward. According to its design, the XMRig CPU miner makes use of roughly 75 percent of the CPU capacity of the machine, but on certain occasions caused by coding errors, it exceeds that

The KingMiner malware has successfully avoided detection with the help of simple mechanisms including obfuscation and executing the executable file with the aim of leaving no trace of activity. The malware also takes extreme measures to ensure that its actions are not monitored or its creators getting traced.

The report pointed out that “It appears that the KingMiner threat actor uses a private mining pool to prevent any monitoring of their activities. The pool’s API is turned off, and the wallet in question is not used in any public mining pools. We have not yet determined which domains are used, as this is also private.”

Growing KingMiner attacks puts it on the radar

Even though it has been hard to detect the activities of KingMiner, the increase in the number of attacks by the malware has put it in the radar of security companies, Check Point Software Technologies pointed out.

Cryptojacking has surged over the past few months and has become one of the leading cybersecurity threats. McAfee Labs reported recently that in the second quarter of this year, cryptojacking cases has surged by 86 percent. The report pointed out that cryptojacking malware mostly targets smartphones and other mobile devices with internet connections above personal computers. This is an indication that the cybercriminals are widening their target base as the prices of cryptocurrencies continue to plunge.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *