The KingMiner Cryptojacking is a campaign that hijacks your PC's hardware for generating the Monero cryptocurrency. Over time, the KingMiner Cryptojacking can cause performance degradation and even damage your computer permanently. Let updated anti-malware products detect and remove the KingMiner Cryptojacking Trojans, and continue monitoring the system for symptoms of compromise, such as overheating or unusual network activity.
The Ongoing Reign of Hardware-Burning Royalty
The cyber-security community as a whole is referencing both a group of threat actors and the Trojan that they're deploying over the past few months with the label of 'KingMiner.' Their campaign, which shares some of the same infection techniques as major Ransomware-as-a-Service businesses, is converting servers into cryptocurrency-output setups that make money off of other people's hardware successfully. Similarly to some of the other threats in this category that malware experts are looking at, such as RubyMiner and the Butler Miner Trojan, the KingMiner Cryptojacking is exploiting the XMRig application.
The KingMiner Cryptojacking campaign uses brute-force attacks that crack logins for granting system access to the remote attackers, who drop the XMRig-deploying Trojan. Internet Information Services and Structured Query Language-based servers are the predominant targets, with only Windows systems being verifiable victims, for now. The version of XMRig that is dropped and run is stripped-down to its core, essential functions, but also includes a glitch that misconfigures it. Instead of capping at seventy-five percent of the system's CPU, it will use all available resources.
There are significant signs of competent programming in other aspects of the KingMiner Cryptojacking attacks, however. Malware experts note the use of an obfuscated installation routine via disguised ZIP archives, private wallet infrastructure that prevents tracking the currency's generation by outside parties, and other evasion-oriented features with the goal of avoiding traditional analysis environments, such as sandboxes. The KingMiner Cryptojacking campaign, also, is receiving ongoing updates and is likely of exhibiting other features in the upcoming months.
Dethroning Bad Rulers from Your Server
Regarding brute-force infection vectors, protecting any server is as simple as avoiding any unnecessary use of traditionally weak passwords and account names that would let hacking software guess the combinations readily. Server admins should be aware of the factory default values for these fields, when applicable, and change them, along with using unique credentials in every practical case. The IT security company Check Point, also, is providing a semi-complete list of file hashes, Monero wallet addresses, and other details for admins to crosscheck as potential indicators of infection.
Malware experts are confident in labeling the KingMiner Cryptojacking campaign's update status as being continuous effectively, with an emphasis on avoiding threat-detecting services and associated security solutions. Update your anti-malware products as applicable for helping their rates of identification with regularly-patched threats like the KingMiner Cryptojacking Trojans. Isolating an infected server and disinfecting it as soon as possible may be critical, not just for removing the KingMiner Cryptojacking miner, but for preventing significant hardware damage.
In spite of its glitches, the KingMiner Cryptojacking is a well-coordinated business model for criminals who exploit the carelessness of server admins for Monero-based gain. With more features and fixes in its horizon, the KingMiner Cryptojacking has a serious chance of becoming a true sovereign against alternative criminal enterprises like those of the Rocke Cryptojacking and the RaaS industry