Rewterz Threat Alert – KingMiner Cryptocurrency Mining Malware

November 28, 2019

Severity

High

Analysis Summary

Blasting attacks against weak SQL passwords are resurfacing as KingMiner miners have controlled tens of thousands of computers. KingMiner variant is a Monero coin mining Trojan that performs a blasting attack against a Windows server MSSQL. Attackers have used a variety of evasion techniques to bypass the virtual machine environment and security detection, which caused some anti-virus engines to fail to detect it accurately. The current version of KingMiner has the following features:
1. Blasting attacksagainst MSSQL
2. Use WMI timers and Windows scheduled tasks for persistent attacks
3. Shut down the RDP service on the machine with the CVE-2019-0708 vulnerability to prevent other mining groups from invading and monopolize the controlled computer mining resources
4. Use base64 and specific encoded XML , TXT , PNG files to encrypt Trojan horse programs
5. Using the signature files of Microsoft and several well-known manufacturers as the parent process, “white + black” starts the Trojan DLL .

The attack uses the Windows privilege escalation vulnerability CVE-2019-0803. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and then install programs; view, change, or delete data; or create users with full user rights New account.

Impact

Crypto-currency mining
Unauthorized Access
Privilege Escalation
Remote Code Execution

Indicators of Compromise

Hostname

4056[.]309cffdae[.]tk
aa[.]30583fdae[.]tk
news.g23thr[.]com
q.112adfdae[.]tk
w.30713fdae[.]tk
5921[.]1d28ebfdae[.]com
w.homewrt[.]com
3843.1d28ebfdae[.]com
ww33.3096bfdae[.]com
a.1b051fdae[.]tk
3023.309cffdae[.]tk
q.30583fdae[.]tk
a.qwerr[.]ga
w.ddff1[.]tk
5311.1d28ebfdae[.]com

MD5

e3accf5a6f58932e56192bfbcbf0804c
c874dbb6bf3664990b57d07d7d220ee6
78b56b92c2e7a42520fb99a84d78cf92
b0ab674b842822358be8cd5f6dc91554
2b702a22963448c164db26807a308d50
be45959bc043a4fe88351cd03289f240
c568d6028735cdc2a1ddd3c01f14ca80
21048ff02894656b5b24d4ed3c8a2882
465373b74d163028add70f0d2b0966d0
7def058c5d2acb660f394d04b4698580
23ef4da80f6985a78c4a59467ac4612f
88a5c4645c2a9d0481fd0a846e49b773
4d910cb71c2f55bde48521f7ae062da4
20e502ff977b336d9e7785186b16c68a

SHA-256

9714ea73cb7d5515e33c14718e47eea2db6bf52cd5371422e663a96ec03af9ee
bddaca596cb8b29b314c380b0fa42566a3d7e669506b3a0dc645bf6da51146dd
e780de64c5a571d14eed791bc70d462f8724e2d54c8494b37085cefe7816db54
e0a4c175db246124881405010af97b08abb60889a41f4080ede7bdd160a8469b
3902d0bfbb18ba27084713bdda1ccb23f19934f6621df70ac11aed0b6ee4efb3
5359884aa9fa78763e46a6aa86d4796dfb1bbb3533026cf324166e55d8a4e4e9
1f7c6f11af601500c50b5ad04e0952aa835c54aba0c85dd62875eab34d0150b1
c235c44e7904d04c5bd0db76d9b55eb53f0fdb8631a1c9eb6ca3d2bc6494ab02
995108745ef411df25b7cf47d4609d12e4408e674ca6fd882114cd5c19e2bf01
f92387df7c80e7e379a02f118cbdb5643151da3a99e61270ca890ce62bca82d9
5bbb40df52745e6762b1b216df692a72ac0491f473b979b22fd310fcbddc114c
46131dedf1962a9bda9035eee75058e60d5725d45afb5ea74c614a33f6083b8a
0fb48695bb5796c214958868ed0d6fdd0ebd2b9c9ad0e273549c442a0b7f8006
de9a4dc5507eb4bdcdcb173313e55fc3091a93e270b9bd10c28fc4d8cca84093

Source IP

107.154.161[.]209
95.179.131[.]54
107.154.158[.]39

URL

hxxp[:]//w.30713fdae[.]tk/32a1[.]zip
hxxp[:]//w.homewrt[.]com:9761
hxxp[:]//95.179.131[.]54:9761
hxxp[:]//32a1[.]zip/64a1.zip
hxxp[:]//w.30713fdae[.]tk/32tl.zip
hxxp[:]//w.homewrt[.]com:9761
hxxp[:]//95.179.131[.]54:9761
hxxp[:]//32a1[.]zip/64a1.zip
hxxp[:]//w.30713fdae[.]tk/32tl.zip

Remediation

Block the threat indicators at their respective controls.
Fix the elevation of privilege vulnerability CVE-2019-0803.
Reinforce the SQL Server and patch server security holes. Use a secure password policy and strong passwords.
Modify the default port of the SQL Server service, change the default 1433 port setting based on the original configuration, and set the access rules to reject 1433 port detection.