KingMiner was purportedly firstly detected in mid-June, subsequently evolving in two improved versions. The malware attacks Windows Servers by deploying various evasion methods to skirt its detection. Per Check Point data, several detection engines have registered significantly decreased detection rates, while sensor logs have shown a growing number of KingMiner attacks.
The firm has been monitoring KingMiner activity over the past six months and concluded that the malware has evolved in two new versions. The blog post further explains:
“The malware continuously adds new features and bypass methods to avoid emulation. Mainly, it manipulates the needed files and creates a dependency which is critical during emulation. In addition, as part of the malware’s ongoing evolution, we have found many placeholders for future operations or upcoming updates which will make this malware even harder to detect.”
Check Point has determined that KingMiner uses a private mining pool to bypass any detection of their activities, wherein the pool’s (API) is turned off and the wallet is not used in any public mining pools. The attacks are reportedly widely spread around the world.
According to the company’s findings, the malicious software attempts to guess passwords of the servers it attacks. Once a user downloads and executes the Windows Scriptlet file, it reportedly identifies the relevant Central Processing Unit (CPU) architecture of the device and downloads a payload ZIP file based on the detected CPU architecture.
The malware eventually destroys the relevant .exe file process and deletes the files themselves, if older versions of the attack files exist. Check Point also notes that the file is not an actual ZIP file, but rather an XML file, which will circumvent emulation attempts…