Recently, researchers at Israel-based cybersecurity firm Check Point Software Technologies have claimed that a relatively new form of crypto mining malware, called KingMiner, first appeared in June this year and is now out in the wild as a new-and-improved variant.
"
Since its first appearance, KingMiner has been developed and deployed in two new versions. The malware continuously adds new features and bypass methods to avoid emulation. Mainly, it manipulates the needed files and creates a dependency which is critical during emulation"
wrote, Ido Solomon and Adi Ikan of CheckPoint "
we have found many placeholders for future operations or upcoming updates which will make this malware even harder to detect."
According to the company, KingMiner mostly targets Microsoft Servers (predominantly IIS\SQL) and while configured to harness 75 percent of the victim machine’s CPU capacity for mining, it actually uses up the full 100 percent.
KingMiner uses several obfuscation techniques to evade detection. The cybercriminals operating the malware also use a private mining tool to prevent investigators from monitoring KingMiner’s activities. In the six months since it first appeared, the cryptominer has already infected a wide swath of the globe, from Mexico to India and from Norway to Israel.
Malware scans and detects the CPU architecture of the machine and downloads a payload tailored for the CPU in use. The payload appears to be a .zip but is actually an XML file which bypasses emulation attempts.
Source: checkpoint.com
Interestingly, if older versions of the attack files are found on the victim's machine, these files are deleted by the new infection. Once extracted, the malware payload creates a set of new registry keys and executes an XMRig miner file, designed for mining Monero.
According to Check Point researchers, such evasion techniques will continue to evolve during 2019 and become a major (and more common) component in Crypto-Mining attacks.