An Insider View into the Increasingly Complex Kingminer Botnet

Sophos has released new research about the use of servers in carrying out attacks; “An Insider View into the Increasingly Complex Kingminer Botnet”. The Kingminer botnet attempts to gain server access by brute-forcing login credentials, and Sophos now finds that it’s using the infamous EternalBlue exploit in an attempt to spread malware among other attack mechanisms. 

As a result, Sophos has released an updated version of its Endpoint and Detection Response solution. Gabor Szappanos, threat research director, Sophos confirmed, “The world of cybercriminals is a heterogeneous mass with many different competence and resource levels among them. Understanding these varying capabilities is very important for preparing defensive actions.

Executive summary

Kingminer is an opportunistic botnet that keeps quiet and flies under the radar. The operators are ambitious and capable, but don’t have endless resources – they use any solution and concept that is freely available, getting inspiration from public domain tools as well as techniques used by APT groups.

The main findings of our research are:

• The botnet has been active since 2018, but the group’s activities go back to at least 2016
• Initially, the botmasters operated DDoS tools and backdoors, but later moved on to cryptocurrency miners
• In a typical scenario, they infect SQL servers by brute-forcing username/password combinations. Recently started to experiment with the EternalBlue exploit
• The infection process may use a privilege elevation exploit (CVE-2017-0213 or CVE-2019-0803) to prevent the operating system from blocking their activities
• The operators prefer to use open source or public domain software (like PowerSploit or Mimikatz) and have enough skills to make customization and enhancements to the source code
• They also use publicly available malware families like the Gh0st RAT or the Gates backdoor
• They commonly use DLL side-loading as a technique, a method traditionally employed by Chinese APT groups, and recently gaining momentum in cybercrime
• They use DGA (domain name generator algorithm) to automatically change the hosting domains every week
• If the infected computer is not patched against the Bluekeep vulnerability, Kingminer disables the vulnerable RDP service in order to lock out competing botnets