KingMiner is a malware program that hijacks a host computer and diverts the computer's processing power towards mining a cryptocurrency called Monero. This malware infects Windows Servers and uses several ingenious methods to avoid detection. KingMiner was first detected back in June, and new ways were developed to detect its presence, but reports from Check Point Research indicate that the malware has evolved. Sensor logs on the KingMiner botnet are indicating that the number of attacks is increasing while the detection rate is decreasing.
Check Point's findings indicate that the malicious software uses brute force to guess the passwords for the servers that it infects. When an unsuspecting user downloads the Windows Scriptlet file, the malware identifies what kind of CPU the system uses and then downloads a payload file which initiates the covert mining. The malware cleans up after itself by destroying the .exe files it came with along with any older versions that may still exist. Check Point stated that the new version does not use a ZIP file which would have been flagged, but uses XML files instead.
Once the files are downloaded, the malware starts to mine Monero using hijacked processing power. Researchers stated that KingMiner is designed, but in reality, it uses 100%. The researchers could not give an accurate count of how many coins have been mined in this manner due to the privacy features that are a part of Monero's blockchain.
Cryptomining malware has seen a boom that matched with the rising popularity of cryptocurrencies. Kaspersky Labs recently found that botnets, in particular, were sharing a higher number of crypto jacking malware files. 4.6% of all data downloaded by botnets in Q1 of 2018 were malware files similar to KingMiner. That's a rise from 2.9% in Q2 of 2017.
Stay safe out there, use good antivirus software and stay vigilant.
