Severity
High
Analysis Summary
Blasting attacks against weak SQL passwords are resurfacing as KingMiner miners have controlled tens of thousands of computers. KingMiner variant is a Monero coin mining Trojan that performs a blasting attack against a Windows server MSSQL. Attackers have used a variety of evasion techniques to bypass the virtual machine environment and security detection, which caused some anti-virus engines to fail to detect it accurately. The current version of KingMiner has the following features:
1. Blasting attacksagainst MSSQL
2. Use WMI timers and Windows scheduled tasks for persistent attacks
3. Shut down the RDP service on the machine with the CVE-2019-0708 vulnerability to prevent other mining groups from invading and monopolize the controlled computer mining resources
4. Use base64 and specific encoded XML , TXT , PNG files to encrypt Trojan horse programs
5. Using the signature files of Microsoft and several well-known manufacturers as the parent process, “white + black” starts the Trojan DLL .
The attack uses the Windows privilege escalation vulnerability CVE-2019-0803. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and then install programs; view, change, or delete data; or create users with full user rights New account.
Impact
- Crypto-currency mining
- Unauthorized Access
- Privilege Escalation
- Remote Code Execution
Indicators of Compromise
Hostname
- 4056[.]309cffdae[.]tk
- aa[.]30583fdae[.]tk
- news.g23thr[.]com
- q.112adfdae[.]tk
- w.30713fdae[.]tk
- 5921[.]1d28ebfdae[.]com
- w.homewrt[.]com
- 3843.1d28ebfdae[.]com
- ww33.3096bfdae[.]com
- a.1b051fdae[.]tk
- 3023.309cffdae[.]tk
- q.30583fdae[.]tk
- a.qwerr[.]ga
- w.ddff1[.]tk
- 5311.1d28ebfdae[.]com
MD5
- e3accf5a6f58932e56192bfbcbf0804c
- c874dbb6bf3664990b57d07d7d220ee6
- 78b56b92c2e7a42520fb99a84d78cf92
- b0ab674b842822358be8cd5f6dc91554
- 2b702a22963448c164db26807a308d50
- be45959bc043a4fe88351cd03289f240
- c568d6028735cdc2a1ddd3c01f14ca80
- 21048ff02894656b5b24d4ed3c8a2882
- 465373b74d163028add70f0d2b0966d0
- 7def058c5d2acb660f394d04b4698580
- 23ef4da80f6985a78c4a59467ac4612f
- 88a5c4645c2a9d0481fd0a846e49b773
- 4d910cb71c2f55bde48521f7ae062da4
- 20e502ff977b336d9e7785186b16c68a
SHA-256
- 9714ea73cb7d5515e33c14718e47eea2db6bf52cd5371422e663a96ec03af9ee
- bddaca596cb8b29b314c380b0fa42566a3d7e669506b3a0dc645bf6da51146dd
- e780de64c5a571d14eed791bc70d462f8724e2d54c8494b37085cefe7816db54
- e0a4c175db246124881405010af97b08abb60889a41f4080ede7bdd160a8469b
- 3902d0bfbb18ba27084713bdda1ccb23f19934f6621df70ac11aed0b6ee4efb3
- 5359884aa9fa78763e46a6aa86d4796dfb1bbb3533026cf324166e55d8a4e4e9
- 1f7c6f11af601500c50b5ad04e0952aa835c54aba0c85dd62875eab34d0150b1
- c235c44e7904d04c5bd0db76d9b55eb53f0fdb8631a1c9eb6ca3d2bc6494ab02
- 995108745ef411df25b7cf47d4609d12e4408e674ca6fd882114cd5c19e2bf01
- f92387df7c80e7e379a02f118cbdb5643151da3a99e61270ca890ce62bca82d9
- 5bbb40df52745e6762b1b216df692a72ac0491f473b979b22fd310fcbddc114c
- 46131dedf1962a9bda9035eee75058e60d5725d45afb5ea74c614a33f6083b8a
- 0fb48695bb5796c214958868ed0d6fdd0ebd2b9c9ad0e273549c442a0b7f8006
- de9a4dc5507eb4bdcdcb173313e55fc3091a93e270b9bd10c28fc4d8cca84093
Source IP
- 107.154.161[.]209
- 95.179.131[.]54
- 107.154.158[.]39
URL
- hxxp[:]//w.30713fdae[.]tk/32a1[.]zip
- hxxp[:]//w.homewrt[.]com:9761
- hxxp[:]//95.179.131[.]54:9761
- hxxp[:]//32a1[.]zip/64a1.zip
- hxxp[:]//w.30713fdae[.]tk/32tl.zip
- hxxp[:]//w.homewrt[.]com:9761
- hxxp[:]//95.179.131[.]54:9761
- hxxp[:]//32a1[.]zip/64a1.zip
- hxxp[:]//w.30713fdae[.]tk/32tl.zip
Remediation
- Block the threat indicators at their respective controls.
- Fix the elevation of privilege vulnerability CVE-2019-0803.
- Reinforce the SQL Server and patch server security holes. Use a secure password policy and strong passwords.
- Modify the default port of the SQL Server service, change the default 1433 port setting based on the original configuration, and set the access rules to reject 1433 port detection.