In a research note on Thursday, the firm’s Ido Solomon and Adi Ikan said that KingMiner, a monero mining malware that first appeared about six months ago, is changing through time to avoid detection – even replacing older versions of itself that it encounters on host machines.
The researchers said:
“The malware continuously adds new features and bypass methods to avoid emulation. Mainly, it manipulates the needed files and creates a dependency which is critical during emulation.”
As a result of these tactics, the malware is also being detected by security systems at “significantly” reduced rates.
The malware usually targets Microsoft servers (predominantly IIS\SQL) and while configured to harness 75 percent of the victim machine’s CPU capacity for mining, it actually uses up the full 100 percent.
To preserve its secrecy, KingMiner is also seen to use a private mining pool to avoid detection, which also has its API switched off…