Tencent Yujian: KingMiner miners have controlled tens of thousands of servers

According to BlockBeats, Tencent Security's Threat Intelligence Center detected a KingMiner variant attack. KingMiner is a Monero mining Trojan that performs brute force attacks on Windows server MS SQL. The Trojan first appeared in mid-June 2018 and quickly released two improved versions. The attacker used a variety of evasion techniques to bypass the virtual machine environment and security detection, resulting in some anti-virus engines being unable to accurately detect it.

The current version of KingMiner has the following features:

1. Exploit and intrude MSSQL through brute force attacks;

2. Use WMI timers and Windows scheduled tasks to carry out persistent attacks;

3. Disable the RDP service on the machine with the CVE-2019-0708 vulnerability to prevent other mining groups from invading and monopolizing server resources for mining;

4. Use base64 and specially encoded XML, TXT, PNG files to encrypt the Trojan program;

5. Use the signature files of Microsoft and several well-known manufacturers as the parent process, and start the Trojan DLL in "white + black".

According to statistics from Tencent Security's Yujian Threat Intelligence Center, KingMiner affected more than 10,000 computers, with the worst-affected areas being Guangdong, Chongqing, Beijing, and Shanghai.

Safety Tips

Tencent Yujian recommends that enterprises take targeted defensive measures against the technical characteristics of the KingMiner mining trojan:

1. Fix the privilege escalation vulnerability CVE-2019-0803 according to Microsoft's official announcement:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0803

2. Strengthen the SQL Server server and patch the server security vulnerabilities. Use a secure password policy and a strong password. Do not continue to use weak passwords, especially the sa account password, to prevent hackers from brute force cracking.

3. Modify the default port of SQL Sever service, change the default 1433 port setting based on the original configuration, and set access rules to deny 1433 port detection.

4. Enterprise users can deploy Tencent Yudian Terminal Security Management System on the server to prevent such attacks.

5. We recommend that enterprises use Tencent Yujie Advanced Threat Detection System to detect various suspicious attack behaviors of unknown hackers. Yujie Advanced Threat Detection System is a unique threat intelligence and malicious detection model system developed based on the security capabilities of Tencent Anti-Virus Laboratory and relying on Tencent's massive data in the cloud and on the terminal. (https://s.tencent.com/product/gjwxjc/index.html)