Blasting attacks against weak SQL passwords are resurfacing as KingMiner miners have controlled tens of thousands of computers. KingMiner variant is a Monero coin mining Trojan that performs a blasting attack against a Windows server MSSQL. Attackers have used a variety of evasion techniques to bypass the virtual machine environment and security detection, which caused some anti-virus engines to fail to detect it accurately. The current version of KingMiner has the following features:
1. Blasting attacksagainst MSSQL
2. Use WMI timers and Windows scheduled tasks for persistent attacks
3. Shut down the RDP service on the machine with the CVE-2019-0708 vulnerability to prevent other mining groups from invading and monopolize the controlled computer mining resources
4. Use base64 and specific encoded XML , TXT , PNG files to encrypt Trojan horse programs
5. Using the signature files of Microsoft and several well-known manufacturers as the parent process, “white + black” starts the Trojan DLL .
The attack uses the Windows privilege escalation vulnerability CVE-2019-0803. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and then install programs; view, change, or delete data; or create users with full user rights New account.