Two researchers from Israel-based Check Point Software Technologies Ltd. have revealed that a type of crypto mining malware is "evolving" to avoid detection, according to research notes published on November 29.
The research done by Ido Solomon and Adi Ikan centered around a type of crypto mining malware called KingMiner. As per the research notes, KingMiner emerged in June 2018, and specifically targets Microsoft servers, usually seeking out servers using "IIS or SQL," to mine Monero tokens.
According to Solomon and Ikan, "The attacker employs various evasion techniques to bypass emulation and detection methods, and, as a result, several detection engines have noted significantly reduced detection rates."
Once KingMiner infects a server, it tries to guess the password. When the password is obtained, the malware then downloads and executes a Windows scriptlet file. In order to avoid detection, KingMiner searches for and deletes older versions of itself, then replaces them with new versions that can bypass code emulation, which is a method for detecting malware.
Solomon and Ikan found that the attacker uses three other features to avoid monitoring and detection: a private mining pool with the application programming interface turned off, a wallet not used in public mining pools, and private domains. This drastically reduces the rate at which anti-malware software can detect and remove KingMiner from infected servers.
KingMiner malware has infected servers globally, including in Mexico, India, Norway, and Israel.
Solomon and Ikan conclude their research with a warning:
"KingMiner is an example of evolving Crypto-Mining malware that can bypass common detection and emulation systems. By implementing simple evasion techniques, the attacker can increase the probability of a successful attack. We predict that such evasion techniques will continue to evolve during 2019 and become a major (and more common) component in Crypto-Mining attacks."
With the proliferation of cryptocurrency, mining malware has become commonplace. In July 2017, ETHNews reported that servers at San Francisco State University had been infected with bitcoin-mining malware. In February of this year, we reported that more than 4,000 websites – including government-run sites – in the US and the UK were hijacked by crypto mining malware. And, just Wednesday, November 28, Kaspersky Lab issued a report warning of the dangers of new crypto-mining malware.