ETHERLive delivers real-time price and volume data across 16+ exchanges to users in a clear and easy-to-understand package. Users can get up-to-the-second updates for each exchange/currency pair, as well as aggregated market averages for each exchange, currency, and the market as a whole. It also provides a global converted average of all the currency pairs monitored by ETHNews, converted to USD.


24hr ---

The Basics

Learn the basics of Ethereum and various cryptocurrency technologies

Learn More

What is Ethereum?

Understand the underlying principles of the Ethereum Platform

Learn More

The Blockchain

Discover the revolutionizing technology known as the blockchain

Learn More

Press Release

Submit a press release for consideration on ETHNews

Submit Press

Story / Dapp

Submit a story or DAPP to be considered for publication on ETHNews.

Submit Story


Submit "Ethereum Explainer" content for consideration to be featured on ETHNews

Submit Topic
ETHNews Logo
Ether Price Analysis
Contact Us

Researchers Say KingMiner Malware Is Evolving




The malware can delete old versions of itself to evade detection.

Two researchers from Israel-based Check Point Software Technologies Ltd. have revealed that a type of crypto mining malware is "evolving" to avoid detection, according to research notes published on November 29.

The research done by Ido Solomon and Adi Ikan centered around a type of crypto mining malware called KingMiner. As per the research notes, KingMiner emerged in June 2018, and specifically targets Microsoft servers, usually seeking out servers using "IIS or SQL," to mine Monero tokens.

According to Solomon and Ikan, "The attacker employs various evasion techniques to bypass emulation and detection methods, and, as a result, several detection engines have noted significantly reduced detection rates."

Once KingMiner infects a server, it tries to guess the password. When the password is obtained, the malware then downloads and executes a Windows scriptlet file. In order to avoid detection, KingMiner searches for and deletes older versions of itself, then replaces them with new versions that can bypass code emulation, which is a method for detecting malware.

Solomon and Ikan found that the attacker uses three other features to avoid monitoring and detection: a private mining pool with the application programming interface turned off, a wallet not used in public mining pools, and private domains. This drastically reduces the rate at which anti-malware software can detect and remove KingMiner from infected servers.

KingMiner malware has infected servers globally, including in Mexico, India, Norway, and Israel.

Solomon and Ikan conclude their research with a warning:

"KingMiner is an example of evolving Crypto-Mining malware that can bypass common detection and emulation systems. By implementing simple evasion techniques, the attacker can increase the probability of a successful attack. We predict that such evasion techniques will continue to evolve during 2019 and become a major (and more common) component in Crypto-Mining attacks."

With the proliferation of cryptocurrency, mining malware has become commonplace. In July 2017, ETHNews reported that servers at San Francisco State University had been infected with bitcoin-mining malware. In February of this year, we reported that more than 4,000 websites – including government-run sites – in the US and the UK were hijacked by crypto mining malware. And, just Wednesday, November 28, Kaspersky Lab issued a report warning of the dangers of new crypto-mining malware.

Nathan Graham

Nathan Graham lives in Sparks, Nevada, with his wife, Beth, and dog, Kyia. Nathan has a passion for new technology, grant writing, and short stories. He spends his time rafting the American River, playing video games, and writing.

ETHNews is committed to its Editorial Policy

Like what you read? Follow us on Twitter @ETHNews_ to receive the latest KingMiner, malware or other Ethereum technology news.