The Nasty Operation of KingMiner Monero Cryptomining Trojan
2018 is becoming the year of cryptomining malware, a subtle virus compared to the very loud ransomware which dominated the 2017 malware scene. Ransomware came into the mainstream last year, as the trend was started by WannaCry, costing many companies and individual users to pay an aggregate amount of $4 billion in ransom fees, to the delight of its authors. The loud nature of ransomware caused the community to fight back with projects such as nomoreransom.org, which provides infected computers the possibility to decrypt their files without paying the ransom, with the free decryptors the site develops.
Cryptomining malware is the cybercriminal’s answer to this emerging and still evolving anti-ransomware stance by the IT security community. Cryptominers operate silently, stealing CPU/GPU cycles of the machine they infect, in the hopes of successfully mining Monero coin. Monero coin is an alternative to the popular cryptocurrency, Bitcoin. Known for its lighter system requirement to successful mining, Monero is the virus author’s favorite cryptocurrency.
One such nasty Monero mining malware is KingMiner, known by its many names below:
- [email protected]
- Riskware ( 0053b5231 )
- Trojan.CoinMiner!8.30A (TOPIS:4pJjQEp21pU)
- [email protected]#5jccqb7nyc1d
- Trojan ( 0001140e1 )
The moment KingMiner injects itself into the Windows system, it will guarantee its survival by making multiple copies of itself by modifying the following system files:
It will also hijacks the Windows registry, adding entries of itself in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. This gives the Trojan the capability to automatically run as soon as Windows loads.
Not satisfied with the redundancy of its files spread all over the hard drive to increase redundancy even after being discovered, it will attach itself to the following paths, creating more copies:
The first samples of KingMiner was first detected only last June 2018, since then it evolved into two versions, both Windows-based: one targeting a vulnerable IIS (Internet Information Systems) and another one that focus its attack against unpatched SQL instances. Detection rate against KingMiner continues to improve, as more and more malware vendors have reversed engineered the trojan’s exact algorithm.
KingMiner only allows one instance of itself running in the background, further execution of more instances will be forcefully terminated by the first instance if detected. This will ensure that the CPU/GPU cycles are only concentrated with executing one instance of the trojan at one time, hence further increasing the chance of successfully mining Monero.
Its authors are very careful not to over-utilize the processor cycles it steals from the Windows OS, maxing-out to only 75% at best. However, earlier versions of the trojan end-up having mistiming bugs, which causes the process to over utilize the system, creating lag in the computer that any user will be able to detect.
Security experts advise system administrators to always monitor the CPU utilization of their servers, in order to detect abnormal use of resources. Occasional lags may happen in a clean PC if free memory goes down, forcing the system to use hard drive space as extra memory. Hence, in order to prevent such false positives, system monitor should try to focus more on CPU cycles, as 75% of CPU cycle allocated to an unknown process is already a red flag indicating infection.