Operators of the cryptojacking botnet Kingminer botnet are trying to keep their business humming by applying hotfixes from Microsoft on vulnerable infected computers to lock out other threat actors thay may claim a piece of their pie.
Kingminer has been around for about two years and continues to brute-force its way on SQL servers to install the XMRig cryptocurrency miner for Monero.
In their latest campaigns, the botnet operators started to use the EternalBlue exploit and shutting the door on remote access to their compromised systems, shows a new report from researchers at Sophos cybersecurity company.
From brute force to full control
The attacks start with Kingminer brute-forcing publicly exposed SQL servers until they guess the correct password for the ‘SA’, or system administrator, account.
Additional scripts are downloaded after gaining access to the server, to allow full control of the machine. They’re using the ‘xp_cmdshell‘ Microsoft SQL stored procedure that allows executing an SQL statement to launch a Windows command shell.
Since the commands run in the context of the MSSQL Windows service, they inherit the same permissions, which are above a standard user. In the end, the attackers get full access to the server via PowerShell commands that give them a remote web shell and install the miners.
EternalBlue and BlueKeep
In recent Kingminer campaigns observed by Sophos, the operators used an EternalBlue spreader, although delivering the script did not end in successful exploitation.
Ever since it was leaked by the Shadow Brokers hacker group in April 2017, EternalBlue is frequently used in attacks. The U.S. government lists it in the top 10 most exploited flaws over the past years.
Sophos says that the EternalBlue script used by Kingminer is almost identical with the one used by Powerghost/Wannaminer, another cryptocurrency botnet.
One component of the malware is a VBScript that checks if the infected host runs a version of Windows that is vulnerable to the BlueKeep remote code execution flaw (CVE-2019–0708) in Microsoft’s RDP protocol: Windows XP, Windows Vista, and Windows 7 to Windows Server 2003 and Windows Server 2008.
“If the malware identifies that it is running on any of the vulnerable systems, the code goes on to list the installed hotfixes with the command and searches for the ones related to Bluekeep” – Sophos
In lack of a hotfix for BlueKeep, Kingminer disables the Remote Desktop Protocol, likely to shut off the systems from other cryptomining botnets.
Botnets with BlueKeep scanners are not new. It looks like Kingminer took a page from Watchbog cryptominer, whose operators added the component in July last year.
Sophos found that Kingminer compiles the miners into DLLs that are side-loaded by a benign executable signed with a legitimate certificate.
DLL side-loading is not the only method, though. Reflective loading, which relies on PowerShell, achieves the same goal as does the Windows Control Panel applet installed by the EternalBlue spreader component.
The report from Sophos dives deep into the technical detail behind Kingminer botnet for cryptocurrency mining. The researchers’ assessment is that this is a medium-sized criminal enterprise, sufficiently creative to build custom solutions starting from open-source projects.