Cryptojacking, which most often involves mining for Monero (XMR) and Ethereum (ETH), can be difficult to detect if CPU usage theft is limited, and as funds are transferred to attacker wallets in real-time, these techniques are becoming more popular with attackers who may have in the past relied on ransomware, which is not guaranteed to provide an illegal payout.
On Thursday, researchers from Check Point said in a blog post that one such form of cryptomining malware, known as KingMiner, first appeared in June this year and is now out in the wild as a new-and-improved variant.
The malware generally targets IIS/SQL Microsoft Servers using brute-force attacks in order to gain the credentials necessary to compromise a server. Once access is granted, a .sct Windows Scriptlet file is downloaded and executed on the victim's machine.
This script scans and detects the CPU architecture of the machine and downloads a payload tailored for the CPU in use. The payload appears to be a .zip but is actually an XML file which the researchers say will "bypass emulation attempts."