Cybersecurity team Sophos discovered a botnet named KingMiner, which targets server administrator account in Microsoft’s SQL database with brute force attack. After finding a way in, it will dump a cryptocurrency miner to mint coins and reward the author. It’s also found the malware is also scanning for other vulnerabilities to exploit and infect all other systems connected to the compromised device.
A Cryptocurrency Botnet Miner
Cryptocurrency botnets are common but are not evolving. Here, the authors of KingMiner are found spending quality time in developing the malware with several functionalities to garner more results. Unlike other botnets that die after fulfilling their purpose, Sophos found KingMiner has been staying persistently to reap more and more profits for the maker. Further, it’s the same gang that’s documented by Qihoo and CheckPoint in past.
It’s said, KingMiner brute-force attacks on Microsoft’s SQL database, and break into Server Administrator account. And when passed in, it creates another user database named dbhelp, and installs the cryptocurrency miner to leverage the server’s computational resources for mining coins. Inspecting the code revealed the authors are periodically adding new features to the malware, that’s capable of preventing security softwares and other botnets interrupting their operations.
Sophos further stated the botnet is exploiting the bugs such as CVE-2017-0213 or CVE-2019-0803, which gives KingMiner the root access into the administrator’s account and even spread to other devices connected in the network. The cybersecurity team mentioned two ways, by which the KingMiner is expanding to add more devices to its botnet and earn more.
Methods of Expanding
The first method is by searching for EternalBlue vulnerability, which seeks a bug in Windows Server Message Block (SMB) for exploitation. EternalBlue is the same vulnerability that led to WannaCry and NotPetya to take systems by storm in 2017. Though patches are made available since then, system admins haven’t patched most of their machines to date.
And the second method is by installing new tools like Gh0st remote access trojan, Mimikatz password dumper, and the Gates backdoor trojan. These can get passwords and set backdoors for future access. Further, it’s even scanning for BlueKeep vulnerability that may let other botnets take over their system. All these methods made KingMiner a sophisticated botnet of recent times.
Well, as ZDNet reported, securing systems against this attack is only by setting a strong and unique password to the Server Administrator account. Since the brute-force attack harsh guesses the account passwords taken from various sources, it’s advised to use unique and strong passwords to avoid being compromised.