Criminals install a cryptocurrency miner that uses server resources.
Sophos experts reported a malicious campaign in which KingMiner botnet operators hack into MSSQL database administrator accounts using brute force. As soon as criminals break into a vulnerable MSSQL system, they create another user with the name “dbhelp” and install the Monero cryptocurrency miner using server resources.
KingMiner operators used to carry out attacks - at the end of 2018 and in July 2019. Although most malicious botnets cease to exist after several weeks or months of activity, KingMiner seems to have brought enough fraudsters to continue the attacks.
KingMiner operators continue to refine malware code by periodically adding new features. For example, a malware can exploit vulnerabilities (CVE-2017-0213 or CVE-2019-0803 ) to increase privileges on the system and execute code with administrator rights.
KingMiner operators have added this feature to prevent crashes in its operation due to security solutions or other botnets that could infect the same server.
In addition, KingMiner operators are currently experimenting with the EternalBlue exploit, which allows attackers to gain access to remote Windows systems through vulnerabilities in Server Message Block (SMB) protocol implementations. Although patches were released back in 2017, not all companies have applied them.
According to experts, the botnet is also capable of downloading other tools and malware to infected MSSQL servers. These include the Mimikatz tool, the Gh0st remote access trojan, and the Gates backdoor trojan. KingMiner operators use them to steal passwords from other systems to which the database server can be connected.
According to experts, one of the interesting features of the campaign was that KingMiner operators scanned the infected system for BlueKeep vulnerabilities in the remote desktop protocol. If the system turns out to be vulnerable, criminals turned off RDP access to the database in order to prevent other malware from breaking into the server.
Sophos experts reported a malicious campaign in which KingMiner botnet operators hack into MSSQL database administrator accounts using brute force. As soon as criminals break into a vulnerable MSSQL system, they create another user with the name “dbhelp” and install the Monero cryptocurrency miner using server resources.
KingMiner operators used to carry out attacks - at the end of 2018 and in July 2019. Although most malicious botnets cease to exist after several weeks or months of activity, KingMiner seems to have brought enough fraudsters to continue the attacks.
KingMiner operators continue to refine malware code by periodically adding new features. For example, a malware can exploit vulnerabilities (CVE-2017-0213 or CVE-2019-0803 ) to increase privileges on the system and execute code with administrator rights.
KingMiner operators have added this feature to prevent crashes in its operation due to security solutions or other botnets that could infect the same server.
In addition, KingMiner operators are currently experimenting with the EternalBlue exploit, which allows attackers to gain access to remote Windows systems through vulnerabilities in Server Message Block (SMB) protocol implementations. Although patches were released back in 2017, not all companies have applied them.
According to experts, the botnet is also capable of downloading other tools and malware to infected MSSQL servers. These include the Mimikatz tool, the Gh0st remote access trojan, and the Gates backdoor trojan. KingMiner operators use them to steal passwords from other systems to which the database server can be connected.
According to experts, one of the interesting features of the campaign was that KingMiner operators scanned the infected system for BlueKeep vulnerabilities in the remote desktop protocol. If the system turns out to be vulnerable, criminals turned off RDP access to the database in order to prevent other malware from breaking into the server.