First discovered in June 2018, Kingminer is a Monero-mining malware targeting Windows Servers, particularly IIS and SQL servers. The actors behind the malware use various evasion methods to bypass detection. A windows .sct file is installed on the victim’s machine; upon execution, the file detects relevant CPU architecture, kills relevant .exe file processes, and downloads a payload ZIP file. In the second phase of the attack, the XMRig CPU miner runs and uses the victim’s entire CPU.
Reporting and Technical Details
Check Point provides technical analysis of the Kingminer malware here.