A sophisticated actor, or actors, is presently using an “evolving” type of crypto-jacking software to infect private systems from Mexico to India to Norway to Israel, commandeering them for the mining of Monero, a popular “privacy cryptocurrency” difficult to trace.
The malware, called “KingMiner,” has been extensively studied by researchers at the Isreali cybersecurity firm Check Point Research (CPR), who blogged about in a recent company post:
“Throughout the year, we have seen evidence of a significant surge in both reports and number of attacks. Despite a recent plateau in crypto currency values, the attack methods and techniques still continue to improve in ingenuity and effectiveness.”
CPR says KingMiner was first detected in June 2018, but that was, “…rapidly followed by the deployment of two improved versions,” since.
The malware targets Windows Servers, and, “…continuously adds new features and bypass methods to avoid emulation.”
“As a result, several detection engines have noted significantly reduced detection rates,” DPR writes.
The malware begins by targeting servers and attempting to guess passwords
Once inside a system, a script file is downloaded and executed on victim’s machine.
Any old attack files are deleted on behalf of improved ones, and the malware then downloads a “payload zip file” containing five files -including a “binary blob”- which collectively work to commandeer 100% of the attacked system’s CPU power for the mining of Monero. (A CPU is a “central processing unit”- a computer’s data processing “engine.”)
The malware also reportedly cordons off areas for future infections and updates:
“In addition, as part of the malware’s ongoing evolution, we have found many placeholders for future operations or upcoming updates…(designed) to significantly decrease the detection rate.”
Data provided by CPR also seems to indicate that common household anti-virus software may not be able to detect a KingMiner infection.
Steps are taken on the other end as well to obscure the origins of KingMiner and any details about who may be deploying it:
“It appears that the KingMiner threat actor uses a private mining pool to prevent any monitoring of their activities. The pool’s API is turned off, and the wallet in question is not used in any public mining pools. We have not yet determined which domains are used, as this is also private. However, we can see that the attack is currently widely spread, from Mexico to India, Norway and Israel.”
CPUs may also be overclocked by certain malware, and computers can be rendered “zombified” and unable to “sleep,” both of which run them down.
Meanwhile, as the system sends any successfully-mined Monero directly to an attacker’s wallet, the victim is left to pay resulting electricity bills, which can be significant.