Researchers from UK cyber-security firm Sophos have released a report that describes tactics, techniques, and procedures used by threat actors behind KingMiner, an opportunistic botnet, which main purpose is to mine cryptocurrency.
In the observed attacks the KingMiner operators compromised MSSQL databases using brute-force attacks to guess username/password combinations of SQL servers. Once the vulnerable server was hacked, the attackers created another database user named "dbhelp," and then installed the xmrig cryptocurrency miner that would abuse the server's resources to generate profits for the gang.
Sophos says that KingMiner’s code has evolved over the time, with botnet’s operators periodically adding new features to the malware. The botnet exploits elevation of privilege bugs, such as CVE-2017-0213 or CVE-2019-0803 to prevent blocking software (or admins) from blocking the attackers’ activity.
The hackers behind KingMiner also leverage freely available tools (like PowerSploit or Mimikatz) and techniques such as DLL side-loading (a trick commonly used by Chinese APT groups).
The researchers say that recently they have observed KingMiner crew experimenting with the EternalBlue exploit, the same vulnerability used in the WannaCry and NotPetya ransomware attacks in 2017.
EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and gain access to a network by sending specially crafted packets. It exploits a software vulnerability in Microsoft’s Server Message Block version 1 (SMBv1) protocol, a network file sharing protocol that allows access to files on a remote server. This exploit potentially allows hackers to compromise the entire network and all devices connected to it.
Another interesting finding is a simple VBScript script that has been observed in the malware’s code that checks if the Windows machine is vulnerable to the BlueKeep flaw (Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2).
If the malware identifies that it is running on an unpatched Windows system the script disables further Remote Desktop (RDP) in an attempt to disable possible infection vector that rival cryptomining botnets could use to infect the computer.
“Kingminer is one of the many medium-sized criminal enterprises who are more creative than the groups who simply use builders purchased from underground marketplaces.As long as the sources of new tools and exploits are published, groups like Kingminer can and will continue to implement them into their arsenal, accelerating the adoption of the exploits and exploit techniques in the lower level tiers of criminality,” the researchers concluded.