The malware was first spotted in June this year and targets IIS/SQL Microsoft Servers using brute-force attacks and attempts to gain credentials to compromise the server.
Once the malware gain access it downloads Windows Scriptlet file (.sct) and executes on the victim’s machine.
During execution, the file performs several functions such as it scans and detects the relevant CPU architecture of the machine. If an older version of the attack file appears in the system, the files will be removed by the new version.
It also downloads a payload ZIP file which is actually an XML file that can bypass emulation attempts.
After the file is extracted the payload will create a set of new registry keys and executes an XMRig miner file for mining Monero.
According to researchers Although the miner is configured to use 75% CPU capacity but it uses 100% of the CPU capacity.
“Check Point Researchers have been monitoring the KingMiner activity since its first appearance and throughout its evolution in the past 6 months. Since its first appearance, KingMiner has been developed and deployed in two new versions. The malware continuously adds new features and bypass methods to avoid emulation.” said in the post published by Check Point researchers.
Researchers also discovered many placeholders for future updations which will make it even harder to detect.
In order to prevent monitoring of their activities threat actors behind the KingMiner malware has been using private mining pool and the pools API also was turned off. The wallet was discovered have been never used in any public mining pools so the researchers were not able to determine what are domains they used.
Researchers discovered widespread infections from Mexico to India, Norway and Israel.
You may be interested in reading:Critical Flaw US Postal Service Exposed Account Details of 60 Million Users