A recently discovered cryptomining operation forces access to Windows servers to use their CPU cycles for mining Monero coins. Detected six months ago, the activity went through multiple stages of evolution.

Since it was spotted in mid-June, the malware received two updates and the number of attacks keeps increasing.

Mining for Monero and evading detection

The researchers at CheckPoint analyzed the new threat and gave it the name KingMiner. They found that it targets Microsoft IIS and SQL Servers in particular and runs a brute-force attack to gain access. Once in, the malware determines the CPU architecture and checks for older versions of itself to remove them.

It relies on the freely available XMRig miner to create Monero coins, with a configuration file that contains private mining pool with the API disabled to keep away from prying eyes.

The wallet address present in the file has not been used in public mining operations, which prevents researchers from checking its balance.

According to the researchers, the miner is configured to use 75% of the CPU resources but in practice, it uses 100% of the processor, probably because of bugs in the code.

KingMiner implements several defenses against emulation environments and detection, recording low rates with some antivirus engines by using an XML payload disguised as a ZIP file.

“The use of evasion techniques is a major component of a successful attack,” CheckPoint says, adding that the malware uses simple techniques to bypass emulation and detection methods.

Over the course of three months, from June to October, KingMiner continued to improve by moving to an obfuscated payload and a modified configuration file for the miner.

All these modifications led to a low detection rate on VirusTotal, with the last two versions of the malware being flagged as malicious by seven antivirus engines and less.

CheckPoint’s telemetry data indicates that KingMiner infections spread “from Mexico to India, and Norway to Israel.”

KingMiner counts on simple methods to stay hidden from security products and was successful at it. The company predicts that cryptomining attacks will continue to evolve in 2019 and become better at evading detection.