New KingMiner cryptojacker hijacks Windows servers and uses advanced detection evading techniques

• KingMiner is a cryotojacking malware that first emerged in June 2018.
• The malware launches brute force attacks against Windows servers to gain access to credentials.

KingMiner is a cryotojacking malware that first emerged in June 2018. The malware targets Windows servers and mines for Monero. The malware launches brute force attacks against Windows servers to gain access to credentials.

The malware is designed to detect the CPU architecture of a targeted system. KingMiner has already been upgraded twice, indicating that its authors have made improvements. According to security researchers at Check Point, KingMiner infections have been increasing of late.

“Since its first appearance, KingMiner has been developed and deployed in two new versions. The malware continuously adds new features and bypass methods to avoid emulation. Mainly, it manipulates the needed files and creates a dependency which is critical during emulation,” Check Point researchers said in a report.

KingMiner uses several obfuscation techniques to evade detection. The cybercriminals operating the malware also use a private mining tool to prevent investigators from monitoring KingMiner’s activities. In the six months since it first appeared, the cryptominer has already infected a wide swath of the globe, from Mexico to India and from Norway to Israel.

“KingMiner is an example of evolving Crypto-Mining malware that can bypass common detection and emulation systems. By implementing simple evasion techniques, the attacker can increase the probability of a successful attack,” Check Point researchers said. “We predict that such evasion techniques will continue to evolve during 2019 and become a major (and more common) component in Crypto-Mining attacks.”