KingMiner Malware

 

 

The malware generally targets IIS/SQL Microsoft Servers using brute-force attacks in order to gain the credentials necessary to compromise a server. Once access is granted, a .sct Windows Scriptlet file is downloaded and executed on the victim’s machine.

This script scans and detects the CPU architecture of the machine and downloads a payload tailored for the CPU in use. The payload appears to be a .zip but is actually an XML file which the researchers say will “bypass emulation attempts.”

Once extracted, the malware payload creates a set of new registry keys and executes an XMRig miner file, designed for mining Monero.

The miner is configured to use 75 percent of CPU capacity, but potentially due to coding errors, will actually utilize 100 percent of the CPU.

To make it more difficult to track or issue attribution to the threat actor, the KingMiner’s mining pool has been made private and the API has been turned off. In addition, the wallet has never been used in public mining pools, and so it is not possible for the researchers to know what domains are in use — or how many Monero coins have been mined through the attacks.

The new version of KingMiner is being deployed with two other variants, and the malware’s operators appear to be continually improving the malware — with a particular focus on avoiding emulation and detection.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against KingMiner malware and similar threats. Make sure you only download legitimate apps from the app store and do not click on suspicious links. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware.

 

CVE-2018-18203

 

 

A vulnerability in the update mechanism of Subaru StarLink Harman head units 2017, 2018, and 2019 may give an attacker (with physical access to the vehicle’s USB ports) the ability to rewrite the firmware of the head unit. This occurs because the device accepts modified QNX6 filesystem images (as long as the attacker obtains access to certain Harman decryption/encryption code) as a consequence of a bug where unsigned images pass a validity check. An attacker could potentially install persistent malicious head unit firmware and execute arbitrary code as the root user.

Source: GitHub

How do you protect yourself?

Note from Subaru
Subaru will have updates for head units affected by this flaw in the coming weeks.

Note from Harman
The firmware update process attempted to verify the authenticity of the QNXCNDFS dat files. The procedure in question had a bug in it that caused unsigned images to verify as “valid”, which allowed for unsigned code installation.

 

njRAT/BLADABINDI

 

 

Researchers last week detected a new, fileless version of the malicious remote access tool njRAT that propagates as a worm via removable drives.

Also known as BLADABINDI or njw0rm, the njRAT acts as a backdoor, capable of cyber espionage, keylogging, distributed denial of service attacks, retrieving and executing files, and stealing credentials from web browsers.

This particular variant, identified as Worm.Win32.BLADABINDI.AA, leverages AutoIt, a free automation script language for Windows, to compile the final payload and the main script into one executable. The technique makes the ultimate payload difficult to detect, Trend Micro threats analyst Carl Maverick R. Pascual reported today in a company blog post.

Source: SC Magazine

How do you protect yourself?

Proper security measures must be in place to defend against njRAT and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware. Avoid clicking unknown links and downloading suspicious attachments.