The year 2020 has seen a steady and steep rise in cyber attacks around the world and threat actors are bringing in their A-game to cause the maximum damage for their own benefits. In our recent blogs, we have mentioned that hackers are revisiting old tactics to carry out these attacks. In this blog, we look at another such malware that is being spread those similar tactics from the yesteryears.
According to researchers, EternalBlue exploit is being used to spread malware by the threat actors behind the Kingminer botnet. In recent times, this botnet has grabbed the attention of media due to its brute-forcing of the highest privileged account on an MSSQL database, the “SA” user. By the escalation of privileged escalation bugs – CVE-2017-0213 or CVE-2019-0803, the operators are capable of gaining root over the underlying windows server where the MSSQL database is running.
The Kingminer botnet has been active since mid-2018 but it has been noticed that its codes have been constantly evolving since then. In the same year, it was reported that the botnet was targeting Microsoft Servers. A year later in 2019, it was discovered that the botnet is mining a new Trojan variant online.
The EternalBlue exploit was first reported in 2017 while distributing the NotPetya and WannaCry ransomware.
Other Notable Facts
- It is not just the EternalBlue but the Kingminer is also making use of a vulnerability called the BlueKeep that is found in Microsoft’s Remote Desktop Protocol to target its victims.
- Similar to the modus operandi of the Chinese APT groups, the operators use DLL side loading.
- In order to store files such as Mimikatz password stealer, XMRig miner payloads, and reflective loader scripts, threat actors utilize Github and other public repositories when the goal is not too malignant.
A highly creative yet moderately successful criminal enterprise, where the threat actors can concoct their own solutions instead of depending on underground marketplaces is termed as the Kingminer. The exploits of this botnet is predicted to rise by our security experts with the fast and steady adoption of open source solutions by the group.
To read more, please check eScan Blog