Rewterz Threat Alert – KingMiner Cryptocurrency Mining Malware

Severity

High

Analysis Summary

Blasting attacks against weak SQL passwords are resurfacing as KingMiner miners have controlled tens of thousands of computers. KingMiner variant is a Monero coin mining Trojan that performs a blasting attack against a Windows server MSSQL. Attackers have used a variety of evasion techniques to bypass the virtual machine environment and security detection, which caused some anti-virus engines to fail to detect it accurately. The current version of KingMiner has the following features: 
1.     Blasting attacksagainst MSSQL 
2.     Use WMI timers and Windows scheduled tasks for persistent attacks
3.     Shut down the RDP service on the machine with the CVE-2019-0708 vulnerability to prevent other mining groups from invading and monopolize the controlled computer mining resources
4.     Use base64 and specific encoded XML , TXT , PNG files to encrypt Trojan horse programs
5.     Using the signature files of Microsoft and several well-known manufacturers as the parent process, “white + black” starts the Trojan DLL .

The attack uses the Windows privilege escalation vulnerability CVE-2019-0803. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and then install programs; view, change, or delete data; or create users with full user rights New account.

Impact

• Crypto-currency mining
• Unauthorized Access
• Privilege Escalation
• Remote Code Execution

Indicators of Compromise

Hostname

• 4056[.]309cffdae[.]tk
• aa[.]30583fdae[.]tk
• news.g23thr[.]com
• q.112adfdae[.]tk
• w.30713fdae[.]tk
• 5921[.]1d28ebfdae[.]com
• w.homewrt[.]com
• 3843.1d28ebfdae[.]com
• ww33.3096bfdae[.]com
• a.1b051fdae[.]tk
• 3023.309cffdae[.]tk
• q.30583fdae[.]tk
• a.qwerr[.]ga
• w.ddff1[.]tk
• 5311.1d28ebfdae[.]com

MD5

• e3accf5a6f58932e56192bfbcbf0804c
• c874dbb6bf3664990b57d07d7d220ee6
• 78b56b92c2e7a42520fb99a84d78cf92
• b0ab674b842822358be8cd5f6dc91554
• 2b702a22963448c164db26807a308d50
• be45959bc043a4fe88351cd03289f240
• c568d6028735cdc2a1ddd3c01f14ca80
• 21048ff02894656b5b24d4ed3c8a2882
• 465373b74d163028add70f0d2b0966d0
• 7def058c5d2acb660f394d04b4698580
• 23ef4da80f6985a78c4a59467ac4612f
• 88a5c4645c2a9d0481fd0a846e49b773
• 4d910cb71c2f55bde48521f7ae062da4
• 20e502ff977b336d9e7785186b16c68a

SHA-256

• 9714ea73cb7d5515e33c14718e47eea2db6bf52cd5371422e663a96ec03af9ee
• bddaca596cb8b29b314c380b0fa42566a3d7e669506b3a0dc645bf6da51146dd
• e780de64c5a571d14eed791bc70d462f8724e2d54c8494b37085cefe7816db54
• e0a4c175db246124881405010af97b08abb60889a41f4080ede7bdd160a8469b
• 3902d0bfbb18ba27084713bdda1ccb23f19934f6621df70ac11aed0b6ee4efb3
• 5359884aa9fa78763e46a6aa86d4796dfb1bbb3533026cf324166e55d8a4e4e9
• 1f7c6f11af601500c50b5ad04e0952aa835c54aba0c85dd62875eab34d0150b1
• c235c44e7904d04c5bd0db76d9b55eb53f0fdb8631a1c9eb6ca3d2bc6494ab02
• 995108745ef411df25b7cf47d4609d12e4408e674ca6fd882114cd5c19e2bf01
• f92387df7c80e7e379a02f118cbdb5643151da3a99e61270ca890ce62bca82d9
• 5bbb40df52745e6762b1b216df692a72ac0491f473b979b22fd310fcbddc114c
• 46131dedf1962a9bda9035eee75058e60d5725d45afb5ea74c614a33f6083b8a
• 0fb48695bb5796c214958868ed0d6fdd0ebd2b9c9ad0e273549c442a0b7f8006
• de9a4dc5507eb4bdcdcb173313e55fc3091a93e270b9bd10c28fc4d8cca84093

Source IP

• 107.154.161[.]209
• 95.179.131[.]54
• 107.154.158[.]39

URL

• hxxp[:]//w.30713fdae[.]tk/32a1[.]zip
• hxxp[:]//w.homewrt[.]com:9761
• hxxp[:]//95.179.131[.]54:9761
• hxxp[:]//32a1[.]zip/64a1.zip
• hxxp[:]//w.30713fdae[.]tk/32tl.zip
• hxxp[:]//w.homewrt[.]com:9761
• hxxp[:]//95.179.131[.]54:9761
• hxxp[:]//32a1[.]zip/64a1.zip
• hxxp[:]//w.30713fdae[.]tk/32tl.zip

Remediation

• Block the threat indicators at their respective controls.
• Fix the elevation of privilege vulnerability CVE-2019-0803.
• Reinforce the SQL Server and patch server security holes. Use a secure password policy and strong passwords.
• Modify the default port of the SQL Server service, change the default 1433 port setting based on the original configuration, and set the access rules to reject 1433 port detection.