KingMiner: The New and Improved CryptoJacker
Research by: Ido Solomon and Adi Ikan
Crypto-Mining attacks have grown and evolved in 2018. Due to the rise in value and popularity of crypto currencies, hackers are increasingly motivated to exploit the CPU power of their victims’ machines for crypto-mining operations. Throughout the year, we have seen evidence of a significant surge in both reports and number of attacks. Despite a recent plateau in crypto currency values, the attack methods and techniques still continue to improve in ingenuity and effectiveness.
KingMiner is a Monero-Mining malware that targets Windows Servers. The malware was first seen in mid-June 2018, and was rapidly followed by the deployment of two improved versions. The attacker employs various evasion techniques to bypass emulation and detection methods, and, as a result, several detection engines have noted significantly reduced detection rates. Based on our analysis of sensor logs, there is a steady rise in the number of KingMiner attack attempts.
The Attack Flow
Based on our findings,
we determined that the malware targets Microsoft Servers (mostly IIS\SQL) and attempts to guess their passwords.
Windows Scriptlet file (.sct) is downloaded and executed on the victim’s machine.
In execution, the file performs several steps:
- It detects the relevant CPU architecture of the machine.
- If older versions of the attack files exist, it kills the relevant exe file process and deletes the files themselves.
- It downloads a payload ZIP file (zip\64p.zip), based on the detected CPU architecture. Note that this is not an actual ZIP file but rather an XML file which will bypass emulation attempts.
Figure 1: The “zip” payload as it appears in the HTTP response
- The XML payload includes a Base64 blob which, once encoded, will result in the intended “ZIP” file.
As seen above, the ZIP file includes five files:
- config.json – XMRig CPU miner configuration file.
- md5.txt – Text file containing only the string “zzz.”
- powered.exe (called fix.exe in older versions) – The main exectuable file.
- soundbox.dll/soundbox.dll – DLL files containing functions to be exported by powered.exe.
- x.txt/y.png – Binary blob files. Note – This is not a real PNG file.
Figure 2: The first phase of the attack.
Figure 3: config.json – an XMRig configuration file containing a wallet address and private pools.
Emulating the executable file does not result in any activity.
After all files are extracted, the content of the md5.txt file (“zzz”) is appended to the relevant DLL file (sandbox.dll\active_desktop_render_x64.dll, with the same content in both). We have not seen any effect of this action on the malware activity.
The powered.exe/fix.exe file is invoked and executed, which creates the XMRig miner file and several new registry keys with the value “Test.”
Figure 4: The functions contained within the DLL files.
The executable calls functions from the DLL file:
- ClearDesktopMonitorHook – The function returns the value 1. It may be implemented in future versions.
- King1 – Creates a thread and decodes the content of the relevant binary blob file (x.txt/y.png). This result in an Executable file, which is a trimmed version of XMRig CPU miner, stripped from all functions besides the main one.
The DLL file contains four additional functions, which may be used in the future:
- King2 – Return the value 1.
- King3 – Return the value 1.
- King4 – Return the value 1.
- SetDesktopMonitorHook – Invokes King1.
Figure 5: The function “king1”. Creates a thread and takes the binary blob y.png/x.txt as an argument.
Figure 6: Second phase of the attack.
XMRig CPU Miner runs, and uses the entire CPU of the victim’s machine
Although configured to use 75% out of the CPU capacity, it uses 100%.
Figure 7: The malicious powered.exe file taking up 100% of the CPU power.
Check Point Researchers have been monitoring the KingMiner activity since its first appearance and throughout its evolution in the past 6 months. Since its first appearance, KingMiner has been developed and deployed in two new versions. The malware continuously adds new features and bypass methods to avoid emulation. Mainly, it manipulates the needed files and creates a dependency which is critical during emulation
In addition, as part of the malware’s ongoing evolution, we have found many placeholders for future operations or upcoming updates which will make this malware even harder to detect.
The use of evasion techniques is a major component of a successful attack. Several relatively simple mechanisms enable the malware to bypass common emulation and detection methods:
- Obfuscate 32p.zip/64p.zip files – The ZIP files contain basic XML format data. After parsing, the intended ZIP file is shown.
- The main executable, powered.exe (called fix.exe in older versions), exports functions from the DLL files (sandbox.dll/active_desktop_render_x64.dll). Executing only the executable file, ensures that no activity is found.
- Add md5.txt content to the DLL files (sandbox.dll/active_desktop_render_x64.dll).
- Decode x.txt/y.png content into the executable file XMRig CPU miner.
These evasion techniques appear to significantly decrease the detection rate, as seen in VirusTotal:
It appears that the KingMiner threat actor uses a private mining pool to prevent any monitoring of their activities. The pool’s API is turned off, and the wallet in question is not used in any public mining pools. We have not yet determined which domains are used, as this is also private. However, we can see that the attack is currently widely spread, from Mexico to India, Norway and Israel.
Figure 6: A geographic view of current attacks attempts.
KingMiner is an example of evolving Crypto-Mining malware that can bypass common detection and emulation systems. By implementing simple evasion techniques, the attacker can increase the probability of a successful attack. We predict that such evasion techniques will continue to evolve during 2019 and become a major (and more common) component in Crypto-Mining attacks.
We would like to thank our colleague, Arnold Osipov for his help in this research.
SandBlast Network Protection
Check Point customers are protected by the IPS protections:
- Suspicious Scriptlet Downloader
- XML Containing Malicious File Stream
And Anti-Bot protections
SandBlast Agent Protection
Check Point customers are protected by the protection: