Specialists of the company CheckPoint told about the evolution of the mining Malware Kingminer, first discovered in the summer of 2018.
During this time, the malware attacking Windows servers, received two updates, got an obfuscation, and the number of its attacks is constantly growing.
Analysts write that Kingminer primarily attacks Microsoft’s IIS and SQL servers using brute force and dictionary attacks to gain access to the system. If access is received, the malware verifies which CPU architecture it is dealing with, and also searches the system for its own old versions (if any, Kingminer deletes them, replacing them with new ones).
At the same time Kingminer tries to avoid detection and act secretly. For example, the malware detects emulators and does not run in a test environment, and it also uses XML pagers disguised as ZIP archives.
The malware is built on the basis of open-source Xmrig and produces cryptocurrency monero. In the configuration of malware, you can find data about a private mining pool with a disabled API, which also allows criminals to avoid unnecessary attention.
According to researchers, Kingminer should delay 75% of the CPU capacity of infected systems, but for some reason the miner uses processors for all 100%. Obviously, this is to blame for a bug in the code.
According to CheckPoint, already now Kingminer is distributed in different countries of the world, including Mexico, India, Norway and Israel. And analysts anticipate that in the future 2019 year the miner can become even more dangerous, as its developers seem to be seriously intending to add to the arsenal of Kingminer and other techniques of avoidance of detections. Currently, the latest versions of Malvari are poorly detectable by protective products.
Thus, at the time of publication of the report, the threat in Kingminer saw only seven protective solutions presented at VirusTotal.