Sophos experts warn of the activity of the KingMiner botnet, which hacks the MSSQL databases to install the miner. Using brute force attacks, this botnet tries to pick up credentials for the sa (server administrator) account. In MSSQL, this is the account with the highest privileges.
If the username and password were successfully selected, the attackers create another database named dbhelp, and also install a miner that uses the server’s resources to mine Monero cryptocurrency and bring profit to its operators.Behind the KingMiner botnet is the same hacker group that Check Point experts told about at the end of 2018, and Qihoo 360 specialists in the summer of 2019.
Although most botnets do not “live” for more than a few weeks or months, KingMiner seems to be making a good profit for its operators since the attacks are still ongoing”,- write Sophos analyst.
However, the exception was also Vollgar mining botnet, which brute-forced database of MS SQL servers for two years.
The KingMiner botnet code has changed. In particular, KingMiner became more stable and learned to get root-rights on the Windows server, where the MSSQL database works. Attackers do this by exploiting privilege escalation vulnerabilities (CVE-2017-0213 or CVE-2019-0803), and they provide KingMiner with the ability to execute code with administrator privileges.
In addition, KingMiner is now trying to develop its attack further beyond the MSSQL database, penetrating other systems of the victim company to which the base is connected.
Attention to the internal networks of companies is not uncommon for this type of malware, and many mining botnets exhibit similar behavior. KingMiner is only at the initial stage of implementing this functionality”, – say the researchers.
Malware can develop its attacks in two ways.
- First, KingMiner is experimenting with the famous exploit EternalBlue, which was used to distribute WannaCry and NotPetya in 2017.
- Secondly, the botnet is trying to expand locally by downloading various tools and additional malware to infected MSSQL servers. These include Mimikatz, the Gh0st Remote Access Trojan, and the Gates Backdoor Trojan. It is believed that in this case the goal of KingMiner is to steal passwords from other company systems to which the database server can be connected.
However, Sophos analysts believe that the most unusual feature of KingMiner is that malware scans infected systems to determine if they are vulnerable to the BlueKeep problem. If the system is vulnerable, KingMiner hastily disables RDP access to the database to prevent competing hacker groups from hacking the server.
