Kingminer Botnet: The Persistent Nuisance

Cyberattacks are on the rise and the threat actors are constantly upping their game to stay relevant and cause maximum damage. However, some old tactics have made a comeback, which are being leveraged to spread malware such as Kingminer.

What’s going on?

According to a report by Sophos, threat actors behind the Kingminer botnet are using the EternalBlue exploit to propagate malware. Lately, the botnet has made headlines by brute-forcing the ‘sa’ user, the highest-privileged account on an MSSQL database. The operators are capable of gaining root over the underlying Windows server where the MSSQL database is running, by the exploitation of privilege escalation bugs - CVE-2017-0213 or CVE-2019-0803.

Know your history

  • Kingminer has been active since mid-June 2018 and the botnet’s codes have been under constant evolution.
  • In 2019, the botnet was discovered to be mining a new trojan variant online.
  • In 2018, it was found to target Microsoft servers (mostly IIS\SQL) and guess the passwords.
  • The EternalBlue exploit saw the first light of day in 2017, while disseminating NotPetya and WannaCry ransomware.

Worth noting

  • Apart from EternalBlue, Kingminer is also using the BlueKeep vulnerability found in Microsoft’s RDP to target victims.
  • The operators use DLL side-loading tricks, similar to Chinese APT groups.
  • When the goal is not too malicious, the actors use Github and other public repositories to store files, such as Mimikatz password stealer, XMRig miner payloads, and reflective loader scripts.
  • The IOCs can be found here.

The bottom line

Kingminer is a moderately successful but creative criminal-enterprise, where the actors create their own solutions instead of relying on underground marketplaces. With the rising adoption of open-source solutions by the group, their exploits are expected to accelerate.